==Your Overture=

Hello,

I know this letter might come as a surprise to you especially since we have never met or discuss before, basically the message might sound strange but it is factual in reality if only you care to know, The truth is that I should have notified you first through a more confidential means, (even if it's at least to respect your integrity) please accept my humble apologies if I Had caught you unawares, I frankly do not mean any harm in passing my message. We are members of the Special Committee for Budget and Planning of the British Petroleum and Mineral Resources, This committee is principally concerned with contract appraisal and the approval of contract in order of priorities as regards capital projects of the British Inland Revenue, with our positions we have successfully secured for ourselves the sum of Twenty Million Five Hundred Thousand British Pounds (20.5 Million Pounds) the amount was accumulated from the over invoice. Hence together with some of the top officials of the British Petroleum and Mineral Resources, We plan to transfer this amount of money Twenty million five hundred thousand Pounds (20.5Million Pounds ) into an overseas account by awarding a non existing contract from my ministry (BP). To this effect I decided to contact you and ask for your assistance, what we need from you sir, is to provide a very vital account in which the fund will be transferred. My Colleagues and I have agreed to compensate the owner of the account used for this transaction with 25% of the total amount remitted; we shall keep 73% and remaining 2% reserved for taxes and other miscellaneous expenses. Finally the confidence and trust reposed on you cannot be over emphasized, Therefore you are to keep this Deal to yourself confidentially because Caliber of personnel's involved are men in government and cannot effort to loose our respective reputation to our dear country if jeopardized by you. Please Contact me urgently through this my private email address:( 122205@post.com ) for our easier communication.

Yours Faithfully

Tufan Erginbilgic-Chief executive, Downstream-British Petoleum-London-United Kingdom

Email analysis :

NOTE : 122702@post.com
NOTE : contact@onivo-cosmetics.com
NOTE : Received : from User (unknown [69.166.186.10])

NOTE : Corrupted IP (69.166.186.10) sending scam, spam, phishing

NOTE : by jn633.jn-hebergement.com

Indebtedness for driving on toll road #000948265 (Virus)

Notice to Appear,

You have not paid for driving on a toll road.
You are kindly asked to pay your debt as soon as possible.

The copy of the invoice is attached to this email.

Sincerely,
Thomas Gorman,
E-ZPass Agent.

E-ZPass_Invoice_000948265.zip

File analysis :

OPEN FILE : E-ZPass_Invoice_000948265.zip
RESULT : FILE IS A VIRUS

Virus analysis :

SHA256 : 5ec5b13bbf1d2a2179168acfaec53da59afa6b8ca480930e1b56d996b51dd140
ALYac : JS:Trojan.JS.Downloader.AN
AVG : JS/Downloader.Agent
AVware : Malware.JS.Generic (JS)
Ad-Aware : JS:Trojan.JS.Downloader.AN
Arcabit : JS:Trojan.JS.Downloader.AN
Avast : JS:Agent-DOB [Trj]
BitDefender : JS:Trojan.JS.Downloader.AN
CAT-QuickHeal : JS.Downloader.Z
Comodo : Heur.Dual.Extensions
DrWeb : SCRIPT.Virus
ESET-NOD32 : JS/TrojanDownloader.Nemucod.AS
Emsisoft : JS:Trojan.JS.Downloader.AN (B)
F-Secure : JS:Trojan.JS.Downloader.AN
Fortinet : JS/Agent.CPL!tr
GData : JS:Trojan.JS.Downloader.AN
Kaspersky : Trojan.JS.Agent.cpl
McAfee : JS/Nemucod.c
McAfee-GW-Edition : JS/Nemucod.c
MicroWorld-eScan : JS:Trojan.JS.Downloader.AN
Microsoft : TrojanDownloader:JS/Nemucod.P
NANO-Antivirus : Trojan.Script.Agent.dtchtk
Rising : NORMAL:Trojan.DL.Script.JS.Nemucod.b!1616509[F1]
Sophos : JS/DwnLdr-MON
VIPRE : Malware.JS.Generic (JS)
nProtect : JS:Trojan.JS.Downloader.AN

Email analysis :

NOTE : thomas.gorman@jerusalem.hostyou.com.br
NOTE : client-ip=104.238.195.142;
NOTE : Sender Address Domain - jerusalem.hostyou.com.br
NOTE : X-Source-Args : /usr/bin/php /home/centova/public_html/coisaseria.com.br/post.php
NOTE : < centova@jerusalem.hostyou.com.br >
NOTE : Mime-Version : 1.0
NOTE : X-Source-Dir : centova.com:/public_html/coisaseria.com.br
NOTE : X-Priority : 3
NOTE : X-Get-Message-Sender-Via : jerusalem.hostyou.com.br:
NOTE : authenticated_id: centova/primary_hostname/system user
NOTE : X-Source : /usr/bin/php
NOTE : Received : by 10.202.17.82 with SMTP
NOTE : Received : from centova by jerusalem.hostyou.com.br
NOTE : Indebtedness for driving on toll road #000948265

Rép :Re:Re:NEW ORDER‏‎ (Virus)

l have checked and back to you again, please check the attached Purchase Order and see the products and quantities WE needs and quote your best price by issuing us price list and Perform Invoice accordingly.you will see the specific brand,description of the product we want your company to supply to us. We expect to hear from you shortly to enable us set with the purchase arrangement/agreement once the price is competitive and we get your assurance on the quality of the products.

Your early reply is highly appreciated.

Thank You !
Regards
Mis.July Doin
Vice General Manager
---------------------------------------------------------
Purchasing Manager
Addweden Svenska SAP
Svenska AB 151 D Zip Code:55652
Tel:46-858-780000/Fax:46-858-780001
Email:julydoin1@hotmail.com

Email analysis :

NOTE : Julydoin@hotmail.com
NOTE : royalbankofscotlandn@gmail.com

Virus analysis :

SHA256: 64d7f46ef678cb27e60a7992be9f5095eb5b61b959a16d4cb9441757349fba11
FILENAME : NEW ORDER.ace
==================================
AVG : MSIL2.BGGQ
Ad-Aware : Gen:Variant.Kazy.263448
Avast : MSIL:GenMalicious-RW [Trj]
Avira : TR/Meredrop.EB.1
BitDefender : Gen:Variant.Kazy.263448
ESET-NOD32 : a variant of MSIL/Injector.BYE
Emsisoft : Gen:Variant.Kazy.263448 (B)
F-Secure : Gen:Variant.Kazy.263448
GData : Gen:Variant.Kazy.263448
Ikarus : Backdoor.Androm
Kaspersky : Trojan-Dropper.Win32.Sysn.aweg
MicroWorld-eScan : Gen:Variant.Kazy.263448
Panda : Generic Malware
Sophos : Mal/DrodAce-A
==================================

Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://spitalcuzavodaiasi.ro/CUSTOMER.DOCUMENT-STORAGE-DATA/get_invoice_document.html
DOCUMENT LINK: http://lamichelangelo.it/CUSTOMER-DOCUMENT-STORAGE_DATA/get_last_document.html
DOCUMENT LINK: http://www.trans-arts.com/CUSTOMER~DOCUMENT-DATA/last-invoice-document.html

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

Email analysis :

NOTE : no-replay@invoice.com
NOTE : User-Agent : Roundcube Webmail/1.1.1
NOTE : Received : from unknown (HELO invoice.com) (37.191.103.140)
NOTE : Received : from unknown (HELO invoice.com) (69.42.188.58)
NOTE : Received : from unknown (HELO invoice.com) (80.156.199.162)

Process Analysis :

CLICK : one of the three links.
DOWNLOAD : invoice_pdf80985.zip
EXTRACT : invoice_pdf40132.exe

invoice_pdf40132.exe analysis :

AVG : Crypt3.BTYL : 20150122
Ad-Aware : Gen:Variant.Zbot.154 : 20150122
AhnLab-V3 : Spyware/Win32.Zbot : 20150122
Avast : Win32:Malware-gen : 20150122
BitDefender : Gen:Variant.Zbot.154 : 20150122
CMC : Packed.Win32.Katusha.3!O : 20150120
Cyren : W32/Trojan.RHQS-4975 : 20150122
DrWeb : Trojan.Upatre.128 : 20150122
ESET-NOD32 : Win32/TrojanDownloader.Waski.F : 20150122
Emsisoft : Gen:Variant.Zbot.154 (B) : 20150122
F-Prot : W32/Trojan3.NGH : 20150122
F-Secure : Gen:Variant.Zbot.154 : 20150122
GData : Gen:Variant.Zbot.154 : 20150122
K7AntiVirus : Trojan-Downloader ( 0049d22b1 ) : 20150122
Kaspersky : Trojan.Win32.Staser.awtk : 20150122
Malwarebytes : Trojan.Email.FakeDoc : 20150122
McAfee : Downloader-FAHF!01F769E9BD9A : 20150122
MicroWorld-eScan : Gen:Variant.Zbot.154 : 20150122
Qihoo-360 : Malware.QVM20.Gen : 20150122
Rising : PE:Malware.FakePDF@CV!1.9C3A : 20150121
Sophos : Troj/Dyreza-AM : 20150122
Symantec : Downloader.Upatre : 20150122
nProtect : Trojan/W32.Agent.15872.TX : 20150122

March Invoice

Please find attached your March invoice, we now have the facility to email invoices, but if you are not happy with this and would like a hard copy please let me know.

New bank details for BACS payments are Santander Bank Sort Code 440672 Account No 56065401.

Thanks very much

Sarah
< March invoice 8978.zip >

票据 - 王丽萍

各位{经理.财务}您好：
本公司优惠代理全国各地大城市发票

1.17%增值税专用，11%运输增值税
2.普通.【商品，商业，企业，工业】发票
3.服务业，餐饮业，旅店业专用发票
4.广告业专用发票
5.建筑安装，税务证专用发票
6.机动车销售专用发票
7.房屋租赁专用发票
8.税务代开专用发票

其它地税，国税普通发票。金额根据大小而优惠。

===郑重承诺==

以上票据均可在网上查询或到税务抵扣验证后付款！
联系电话：13699874345
联系人：王丽萍
QQ :247816785