Disposition à prסpos de la ligne mobile (Phishing Free)

Bon jour

CFR

( Centre

Francais de

Recouvrement )

Screenshot of the email :

Email analysis :

NOTE : infos@titowape.com
NOTE : Content-Type : text/html; charset=UTF-8
NOTE : Content-Type : application/xhtml+xml
NOTE : Content-Disposition : inline
NOTE : Return-Path : < prefet@paroles-musique.com >
NOTE : Content-Transfer-Encoding : base64
NOTE : Received : from paroles-musique.com ([104.36.17.205])
NOTE : Disposition à prסpos de la ligne mobile

Phishing analysis :

CLICK : Se connecter
OPEN : http://dakarp.com/jame*.asp
RESULT : Phishing was removed
RESULT : Phishing attempt...

Iazalde.Ludwig@alpestour.com has sent you a file via WeTransfer

Iazalde.Ludwig@alpestour.com
sent you some files
The updated agreement with RTS Consulting

Download

Files (6.24 MB total)
SageAccts 2016-06-29.zip
Will be deleted on
30 June, 2016

Get more out of WeTransfer, get Plus

About WeTransfer Contact Legal Powered by Amazon Web Services To make sure you can receive our emails, please add noreply@wetransfer.com to your trusted contacts

Link analysis :

CLICK : Download
OPEN : https://www.cubbyusercontent.com/pl/SageAccts+2016-06-29.zip/_24cfcb038b1b4223ae0b4d0cc41ecdbe
DOWNLOAD FILE : SageAccts 2016-06-29.zip

File analysis :

FILE : SageAccts 2016-06-29.zip
SHA256 : b50fe4e0b2bfa1e8157c306e7293fb9d097a91b99bf34621a3246211bb5368e2

FILE IS A TROJAN !!!

Avira (no cloud) : HEUR/Suspar.Gen
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Trojan-Downloader.Script.Generic

Email analysis :

NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0)
NOTE : Gecko/20100101 Thunderbird/24.2.0
NOTE : Return-Path : < americanexpress@welcome.aexp.com >
NOTE : Mime-Version : 1.0
NOTE : Message-Id : < *.*@alpestour.com >
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Content-Type : text/html; charset=ISO-8859-1
NOTE : 1.161.133.80;

NOTE : Iazalde.Ludwig@alpestour.com has sent you a file via WeTransfer

Kindly respond for more details

Am Captain Kelvin Ken Miller currently I need you assistant to move some funds out of Iraq

Email analysis :

NOTE : genjohnwnicholson@ighomail.com
NOTE : abruant@virgilio.it
NOTE : Received : from User (unknown [105.227.180.214])

NOTE : by neptune.exsilia.net (Postfix)

My Name is Sr. ADALBERTO CESÁRIO

My Name is Sr. ADALBERTO CESÁRIO

I am from Portugal I have been diagnosed with cancer. It has defiled all forms of medical treatment, and right now I have only about a few months to live, according to medical experts. I have not particularly lived my life so well, as I never really cared for anyone (not even myself) but my business. Though I am very rich, I was never generous, I was always hostile to People and only focused on my business as that was the only thing I cared for. But now I regret all this as I now know that there is more to life than just wanting to have or make all the money in the world. I believe when God gives me a second chance to come to this world I would live my life a different way from how I have lived it. I would want to have a Personal and Trustworthy Relationship with you, as I intend and willing to empower the change of ownership for the transfer of my Deposits to your personal possession for further Investment and Charity Disbursement to the Less Privilege and Homeless. This is my private email address adalcesario93@gmail.com,write to me urgently.

I will send you the photos of me and my very hopeless and selfish family members, including my wife, who I learnt is getting married to my personal friend and attorney,

Thank you for your due consideration. God be with you.

Yours Brother.

Sr. ADALBERTO CESÁRIO

Email analysis :

NOTE : adalcesario91@hotmail.com
NOTE : client-ip=65.55.90.91;

NOTE : sender IP is 25.152.2.59

NOTE : Thread-Topic : My Name is Sr. ADALBERTO CESÁRIO
NOTE : Content-Language : en-US
NOTE : Mime-Version : 1.0
NOTE : X-Ms-Has-Attach :

Catering

Hello my name is Charles i will like to know if you do catering service and can i know if you are the owner or manager, what is your name and do you accept credit card ?

Email analysis :

NOTE : ccarson5524@gmail.com
NOTE : claudesq@outlook.com
NOTE : kcarson0007@gmail.com

Low Mailbox Space (Update Your Mailbox To Avoid Error) (Phishing)

Dear User,

Your mailbox quota is full
This may cause your mailbox fault or you may not be able to receive more e-mail

To continue using your mailbox, you need to immediately upgrade your mailbox quota. This service is free.

Upgrade mailbox quota here

Once the upgrade is complete, your mailbox will work effectively.

Mail Administrator 2016

Screenshot of the email :

Email analysis :NOTE :

NOTE : Return-Path : < hazmi@almadar-group.net >
NOTE : Mime-Version : 1.0
NOTE : X-Authenticated-Sender : host.arabsgate115.com: hazmi@almadar-group.net
NOTE : X-Get-Message-Sender-Via : host.arabsgate115.com:
NOTE : authenticated_id: hazmi@almadar-group.net
NOTE : Received-Spf : client-ip=209.59.186.52;
NOTE : Received : from host.arabsgate115.com (host.arabsgate115.com. [209.59.186.52])
NOTE : Received : from [95.141.31.22] (port=59484 helo=[10.129.123.246])

NOTE : by host.arabsgate115.com
NOTE : Low Mailbox Space (Update Your Mailbox To Avoid Error)

Phishing analysis :

CLICK : Upgrade mailbox quota here
OPEN : http://ftxvisualprint.com.br/payment/2015alldomain/connectID.php
REDIRECT : http://ftxvisualprint.com.br/payment/2015alldomain/9vk88r49xgk3k5jjmf9lycov.php

PARAMETERS : ?rand=13InboxLightaspxn.*
PARAMETERS : &fid.*.*
PARAMETERS : &fid=1
PARAMETERS : &fav.1
PARAMETERS : &rand.13InboxLight.aspxn.*
PARAMETERS : &fid.*
PARAMETERS : &fid.1
PARAMETERS : &fav.1
PARAMETERS : &email=
PARAMETERS : &.rand=13InboxLight.aspx
PARAMETERS : ?n=*
PARAMETERS : &fid=4#n=*
PARAMETERS : &fid=1
PARAMETERS : &fav=1

SCREENSHOT :

CLICK : Login to continue
REDIRECT : http://ftxvisualprint.com.br/payment/2015alldomain/connect_phone.php
SCREENSHOT :

CLICK : Verify to continue
REDIRECT : TO THE PREVIOUS PAGE