Skip to main content
Customer Support Customer Support

Just got a new Email from so called DHL

  • July 25, 2013
  • 12 replies
  • 40 views
RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
I knew it was

so I saved the zip attachment in my downloads folder and uploaded to VirusTotal and I was the first to upload and scan the file and the detection was 7/46 and I scanned with WSA and was detected also! Very Cool!
 
https://www.virustotal.com/en/file/a0caaa4a73bd070889710bb333d28d1230ddaec6b0e0973e1cbb4bc62615cf11/analysis/1374786545/
 
[b] c:usersdanieldownloadsshipment_label_ca_oshawa.zip/shipment_label_ca_oshawa.exe [MD5: BAB9B74D424AD73F6E083FEADBF5D86F] [Flags: 00080001.7583] [Threat: W32.Downloader.Gen]
 


 
This is real world testing!


 
Cheers,
 
Daniel
 
Note: Please don't do this unless you know how to handle malware files it's best to delete the email.
    ProTruckDriver
    Jasper_The_Rasper
    TripleHelix

    12 replies

    RetiredTripleHelix
    Gold VIP
    Forum|alt.badge.img+56
    I just got another one and VirusTotal detects 6/46 I was the first to upload again: https://www.virustotal.com/en/file/d173a7460a81fd3c775a3ce85d0f55232c9136fcb4fcb30630fe332726deecfd/analysis/1375634320/
     


     
    Also scanned with WSA and also detected!
    [b] c:usersdanieldownloadsshipment_label_ca_oshawa.zip/shipment_label_ca_oshawa.exe [MD5: 4EDCAEE580404FB5E3769FD365CB3F23] [Flags: 00080001.9628] [Threat: W32.Downloader.Gen]
     
    Note: VirusTotal is not as reliable for detections as it uses a command line scan and does use other AV features I use as a baseline only.
     
    TH
    RetiredTripleHelix
    Gold VIP
    Forum|alt.badge.img+56
    I got another one today from so called DHL I was first to upload again 8/45 and WSA detects it also!
     
    https://www.virustotal.com/en/file/cc011e55dea828c40a048f7708bf4a4633c9bef2d53f2144f57d276ab6dcb3f1/analysis/1376155258/
     
    The thing is that last few have been very specific to the name of my City Oshawa.
     


     
     
     
     
    ProTruckDriver
    Moderator
    Within the last few months I receive this Email from DHL about once every 2 weeks. They must be catching many people with this malware. Another reason I'm glad I have the Big "W" protecting me. 😉
    Mac Mini, M-4, 24 GB Memory, 1 TB SSD, macOS Sequoia 15.7.2 ~ Clone & Backup with: SuperDuper - Time Machine & iCloud. PWM: RoboForm. 👁¿👁 Spam Annihilater 👁¿👁
    RetiredTripleHelix
    Gold VIP
    Forum|alt.badge.img+56
    Yes really! They can't do any damage as you got to click on the Download link so it's best just to delete them. But are yours specific to you City?
     
    TIA,
     
    Daniel
    ProTruckDriver
    Moderator
    Yep, they sure are. Chesapeake, Va. That mail get directed into my spam folder. I don't open them because I know I have nothing coming in by DHL. It's been about a week since I got my last one that I deleted, so I'll probably be getting another within this week or next, I'll look at it closer when it comes in.
    Mac Mini, M-4, 24 GB Memory, 1 TB SSD, macOS Sequoia 15.7.2 ~ Clone & Backup with: SuperDuper - Time Machine & iCloud. PWM: RoboForm. 👁¿👁 Spam Annihilater 👁¿👁
    RetiredTripleHelix
    Gold VIP
    Forum|alt.badge.img+56
    My ISP uses Yahoo mail for there email services but I was surprised is said my as my city next time I'm going to use a VPN to see if it's tracking the IP address?
     
    Thanks Dave,
     
    Daniel
    RetiredTripleHelix
    Gold VIP
    Forum|alt.badge.img+56
    I had one in my Deleted folder and it does follow your IP as I used a VPN and I got it from! But I tried a US address it would not download I also tried a UK address and it wouldn't download!
     
    Daniel


     


     
    And WSA detected and Deleted all!
     

    RetiredTripleHelix
    Gold VIP
    Forum|alt.badge.img+56
    I got another one from an Email but not DHL VT detects it 2/48 and also WSA! ;)
     
    Great work Webroot as this is a real world test!
     
    Mon 23-09-2013 14:45:00.0265    Infection detected: c:usersdanieldownloadscase_3521932.zip/case_09232013.exe [MD5: DB67FE09D2D6854ACC8583C644A816F4] [3/00080001] [W32.Trojan.Gen]
     
    https://www.virustotal.com/en/file/fd5ac3025c654c9c878bf886a6a43c8fde32688122da55c2f678a46db6827bd2/analysis/1379961888/
     
    Cheers,
     
    Daniel
     



     
     
     
     
    shorTcircuiT
    explanoit
    Silver VIP
    Forum|alt.badge.img+6
    • explanoit
    • Silver VIP
    • September 23, 2013
    Yes, these fake invoices/PDFs from shipping companies routinely get 3/48.
     
    My latest capture from today, which scored just two the first time I submitted it. I submitted the sample to 35+ companies a few hours ago. Only McAfeee has added the detection so far.
    http://www.threatexpert.com/report.aspx?md5=db67fe09d2d6854acc8583c644a816f4
     
    Disclaimer:
    VirusTotal does not include deep heuristics engine since they use commandline based versions of scanners so the file would likely be picked up in the real world by some of the scanners listed. But still, 3/48 on an ongoing attack even after I notify the companies...not good.
    ---------------------------------------- Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester Find me on Twitter!
    shorTcircuiT
    shorTcircuiT
    Gold VIP
    • shorTcircuiT
    • Gold VIP
    • September 24, 2013
    You guys have all the fun POUT! I never get those emails. Sigh.
    RetiredTripleHelix
    RetiredTripleHelix
    Gold VIP
    Forum|alt.badge.img+56
    @ wrote:
     
    Disclaimer:
    VirusTotal does not include deep heuristics engine since they use commandline based versions of scanners so the file would likely be picked up in the real world by some of the scanners listed. But still, 3/48 on an ongoing attack even after I notify the companies...not good.
    I fully agree it's only a baseline tool!
     
    Daniel
    pegas
    Gold VIP
    • pegas
    • Gold VIP
    • September 24, 2013
    @DavidP1970 wrote:
    You guys have all the fun POUT! I never get those emails. Sigh.
    I too because they are all caught by our company security solutions once they enter on our mail server, so these mails cannot pass through to my mailbox. As for my other private mailboxes, no problem as well.
    Terms & ConditionsAccessibility statement