Invoice Jeff Herman

invoice53444271 Jeff Herman.zip

File analysis :

OPEN : invoice53444271 Jeff Herman.zip
RESULT : File is a virus.

Virus analysis :

SHA256: 9c6ce032c5b4f521b0ace607a50a499812ecb9845741862a0f7f9183a87c7c49

ALYac : Trojan.Agent.BMBU
AVG : FakeAlert
AVware : Trojan.Win32.Generic!BT
Ad-Aware : Trojan.Agent.BMBU
Agnitum : Trojan.DL.Dofoil!MdY5QMP4IPM
Arcabit : Trojan.Agent.BMBU
Avast : Win32:Trojan-gen
Baidu-International : Trojan.Win32.Dofoil.bstr
BitDefender : Trojan.Agent.BMBU
CAT-QuickHeal : TrojanDownloader.Upatre.r4
Cyren : W32/Trojan3.RIE
ESET-NOD32 : a variant of Win32/Kryptik.DUYG
Emsisoft : Trojan.Agent.BMBU (B)
F-Prot : W32/Trojan3.RIE
F-Secure : Trojan.Agent.BMBU
Fortinet : W32/Kryptik.DUMX!tr
GData : Trojan.Agent.BMBU
Ikarus : Trojan-Downloader.Win32.Upatre
Jiangmin : TrojanDownloader.Dofoil.bhq
K7AntiVirus : Trojan ( 004cddfe1 )
K7GW : Trojan ( 004cddfe1 )
Kaspersky : Trojan-Downloader.Win32.Dofoil.bstr
Malwarebytes : Spyware.Dyre
McAfee : Upatre-FACE!67B2464F5D77
McAfee-GW-Edition : Upatre-FACE!67B2464F5D77
MicroWorld-eScan : Trojan.Agent.BMBU
Microsoft : TrojanDownloader:Win32/Upatre
NANO-Antivirus : Trojan.Win32.Dyre.dvrjgu
Panda : Trj/CI.A
Qihoo-360 : HEUR/QVM19.1.Malware.Gen
Sophos : Troj/Upatre-LD
TrendMicro : TROJ_UP.10D6D122
TrendMicro-HouseCall : TROJ_UP.10D6D122
VBA32 : Heur.Trojan.Hlux
VIPRE : Trojan.Win32.Generic!BT
ViRobot : Trojan.Win32.Upatre.43520.A[h]
Zillya : 'Downloader.UpatreGen.Win32.68
nProtect : Trojan.Agent.BMBU

Email analysis :

NOTE : bespalov@stati.orene.ru
NOTE : Received : by stati.orene.ru (Postfix, from userid 5001)
NOTE : 94.79.7.6 ()

Indebtedness for driving on toll road #000948265 (Virus)

Notice to Appear,

You have not paid for driving on a toll road.
You are kindly asked to pay your debt as soon as possible.

The copy of the invoice is attached to this email.

Sincerely,
Thomas Gorman,
E-ZPass Agent.

E-ZPass_Invoice_000948265.zip

File analysis :

OPEN FILE : E-ZPass_Invoice_000948265.zip
RESULT : FILE IS A VIRUS

Virus analysis :

SHA256 : 5ec5b13bbf1d2a2179168acfaec53da59afa6b8ca480930e1b56d996b51dd140
ALYac : JS:Trojan.JS.Downloader.AN
AVG : JS/Downloader.Agent
AVware : Malware.JS.Generic (JS)
Ad-Aware : JS:Trojan.JS.Downloader.AN
Arcabit : JS:Trojan.JS.Downloader.AN
Avast : JS:Agent-DOB [Trj]
BitDefender : JS:Trojan.JS.Downloader.AN
CAT-QuickHeal : JS.Downloader.Z
Comodo : Heur.Dual.Extensions
DrWeb : SCRIPT.Virus
ESET-NOD32 : JS/TrojanDownloader.Nemucod.AS
Emsisoft : JS:Trojan.JS.Downloader.AN (B)
F-Secure : JS:Trojan.JS.Downloader.AN
Fortinet : JS/Agent.CPL!tr
GData : JS:Trojan.JS.Downloader.AN
Kaspersky : Trojan.JS.Agent.cpl
McAfee : JS/Nemucod.c
McAfee-GW-Edition : JS/Nemucod.c
MicroWorld-eScan : JS:Trojan.JS.Downloader.AN
Microsoft : TrojanDownloader:JS/Nemucod.P
NANO-Antivirus : Trojan.Script.Agent.dtchtk
Rising : NORMAL:Trojan.DL.Script.JS.Nemucod.b!1616509[F1]
Sophos : JS/DwnLdr-MON
VIPRE : Malware.JS.Generic (JS)
nProtect : JS:Trojan.JS.Downloader.AN

Email analysis :

NOTE : thomas.gorman@jerusalem.hostyou.com.br
NOTE : client-ip=104.238.195.142;
NOTE : Sender Address Domain - jerusalem.hostyou.com.br
NOTE : X-Source-Args : /usr/bin/php /home/centova/public_html/coisaseria.com.br/post.php
NOTE : < centova@jerusalem.hostyou.com.br >
NOTE : Mime-Version : 1.0
NOTE : X-Source-Dir : centova.com:/public_html/coisaseria.com.br
NOTE : X-Priority : 3
NOTE : X-Get-Message-Sender-Via : jerusalem.hostyou.com.br:
NOTE : authenticated_id: centova/primary_hostname/system user
NOTE : X-Source : /usr/bin/php
NOTE : Received : by 10.202.17.82 with SMTP
NOTE : Received : from centova by jerusalem.hostyou.com.br
NOTE : Indebtedness for driving on toll road #000948265

Hi Comrade!

Hi Comrade!

Good tidings to you, With urgent need for assistance, I have summoned up courage to contact you. I have no intention of contacting you at this moment rather an emergency prompted me to seek for urgent gateway and i will be glad if you can be of assistance in understanding my personal experience and work with you presently with my on-going military mission here in Afghanistan which is going to be fruitful and profitable to both of us financially. I am Capt.Elizabeth an officer in the US Army and the International security Assistance Force Officer (ISAF) with the Forward Operating Base Shank, Kandahar city of Afghanistan, for Peace keeping force. I am presently in Service now and i really need your help in assisting me with the safe keeping of two truks. I hope you can be trusted? I will explain further when i get a response from you.

This are the information s I need from you to keep the trust.

Your full name
Home and office address
Sex/age/occupation
Telephone
Your scanned I.D Card for identification Purpose only.

Once I receive this information I shall enclose to you on how to get the package asap.

May God be with you.

Capt.Elizabeth.

Email analysis :

NOTE : capt.elizabetmcnamara@usa.net
NOTE : capt.elizabetmcnamara@mail.tj
NOTE : Received : from User (unknown [95.170.141.11])

NOTE : by mail1.strb.ru (Postfix) with ESMTP
NOTE : Tomsk is far from Kandahar...

Pls provide the following details

Dear Sir / Madam,

I am interested in purchasing your products , which sample image is attached to below Login link. Please follow the link below Login link to view the sample image I am interested to order from your company, and we sincerely hope to establish a long-term business relation with your esteemed company. Click Here to login: http://www.ptss.edu.my/v6/administrator/templates/system/documents.html If so kindly, provide the following details, send me your latest catalog. Also, inform me about the Minimum Order Quantity, Delivery time or FOB, and payment terms warranty:

I await your advise.
Best Wishes,
Mrs. Linda Yong

Analysis :

CLICK : LINK
VALIDATE : FORM
RESULT :

Email analysis :

NOTE : bencook551127@yahoo.co.id
NOTE : Return-Path : spam@practicenet.co.uk
NOTE : X-Ms-Exchange-Crosstenant-Fromentityheader : HybridOnPrem
NOTE : X-Msmail-Priority : Normal
NOTE : Pls provide the following details

Urgent Inquiry Arrival From Alibaba . (Alibaba Phishing)

logo The following message was generated before 18 Aug 2015 09:32(PST) This message was sent to you only Registered Location and Message Origin: UAE Message IP: 180.2685.4093.*

Ahmad Yacoob has sent you a new message.

Ahmad Yacoob

General inquiry about your product for sale.

18 Aug 2015 09:32

Congratulations! You have received a new inquiry From Ahmad Yacoob .To see the content and reply to this inquiry, please click on the Check Inquiry button below. Regards. Reply Now Reject Inquiry Report Spam If you don't want to reply to this inquiry, you can Reject Inquiry and let the buyer know. Learn more

Alibaba.com shall not be liable for any lost profits or incidental, consequential or other damages arising out of or in connection with this message, our web site content, our services or the activities of any of the users of our web site. Thank you for your understanding and cooperation.

Phishing analysis :

CLICK : Reply Now
OPEN : http://ledkuutio.fi/alib/index.html
RESULT : Phishing was removed...

Email analysis :

NOTE : md15m@my.fsu.edu
NOTE : X-Ms-Exchange-Crosstenant-Fromentityheader : Hosted
NOTE : Return-Path : md15m@my.fsu.edu
NOTE : X-Originating-Ip : [74.208.68.233]

NOTE : Mime-Version : 1.0
NOTE : domain of md15m@my.fsu.edu designates 157.56.111.246 as permitted sender
NOTE : smtp.mailfrom=md15m@my.fsu.edu
NOTE : X-Originatororg : my.fsu.edu
NOTE : Received-Spf : client-ip=157.56.111.246;
NOTE : Received : from u18097758.onlinehome-server.com (74.208.68.233)

NOTE : Urgent Inquiry Arrival From Alibaba .

Security Notice Updates (LinkedIn Phishing)

LinkedIn

Security Notice Updates

On the 23rd of August 2015, An Attempt into your account has been detected from an unknown location, For your security, access to your LinkedIn Account has been temporarily suspended. To regain access,you must complete REGISTRATION BY DOWNLOAD & FILL ATTACHED FORM PLEASE NOTE: This is a compulsory measure. Failure to update your information will lead to service termination Linkedin security team.

VIEW ATTACHED TO UPDATE

You received an invitation to connect. LinkedIn will use your email address to make suggestions to our members in features like People You May Know. Unsubscribe
Learn why we included this. If you need assistance or have questions, please contact LinkedIn Customer Service.

© 2015, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

Phishing analysis :

OPEN : LinkedIn Verification.html
EXTRACT FORM : action="http://test88212.test-account.com/BEXXXXLINK.php"

Whois test-account.com :

Domain Name: test-account.com
Registry Domain ID: 86840496_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.registrygate.com
Registrar URL: www.registrygate.com
Updated Date: 2014-12-29T01:33:34Z
Creation Date: 2002-05-22T01:33:22Z
Registrar Registration Expiration Date: 2016-05-22T20:04:29Z
Registrar: RegistryGate GmbH
Registrar IANA ID: 1328
Registrar Abuse Contact Email: abuse@registrygate.com
Registrar Abuse Contact Phone: +49.89.55061272
Domain Status: ok

Registrant Name: Werner Kaltofen
Registrant Organization: Neue Medien Muennich GmbH
Registrant Street: Hauptstr. 68
Registrant City: Friedersdorf
Registrant State/Province:
Registrant Postal Code: 02742
Registrant Country: DE
Registrant Phone: +49.3587235310
Registrant Fax: +49.3587235330
Registrant Email: hostmaster@all-inkl.com

Admin Name: Werner Kaltofen
Admin Organization: Neue Medien Muennich GmbH
Admin Street: Hauptstr. 68
Admin City: Friedersdorf
Admin State/Province:
Admin Postal Code: 02742
Admin Country: DE
Admin Phone: +49.3587235310
Admin Fax: +49.3587235330
Admin Email: hostmaster@all-inkl.com

Tech Name: Werner Kaltofen
Tech Organization: Neue Medien Muennich GmbH
Tech Street: Hauptstr. 68
Tech City: Friedersdorf
Tech State/Province:
Tech Postal Code: 02742
Tech Country: DE
Tech Phone: +49.3587235310
Tech Fax: +49.3587235330
Tech Email: hostmaster@all-inkl.com
Name Server: ns5.kasserver.com
Name Server: ns6.kasserver.com
DNSSEC: unsigned

Registry Billing ID:
Billing Name: Werner Kaltofen
Billing Organization: Neue Medien Muennich GmbH
Billing Street: Hauptstr. 68
Billing City: Friedersdorf
Billing State/Province:
Billing Postal Code: 02742
Billing Country: DE
Billing Phone: +49.3587235310
Billing Fax: +49.3587235330
Billing Email: hostmaster@all-inkl.com

Email analysis :

NOTE : Return-Path : < werner.laube@t-online.de >
NOTE : X-Remote : 194.25.134.17 (mailout02.t-online.de)
NOTE : Mime-Version : 1.0
NOTE : Content-Type : multipart/mixed; boundary="===============1507808188=="
NOTE : Received : from mailout02.t-online.de (194.25.134.17)
NOTE : Received : from fwd40.aul.t-online.de (fwd40.aul.t-online.de [172.20.26.139])
NOTE : by mailout02.t-online.de
NOTE : Received : from h2358992.stratoserver.net (@[85.214.197.244])
NOTE : by fwd40.t-online.de with (TLSv1:DHE-RSA-AES256-SHA encrypted)
NOTE : Security Notice Updates