TGH is indeed a share on the London Stock market, but it belongs to Textainer Group Holdings Limited (as you might expect a with share with those initials). Registrant Email: what's wrong with this picture. TheWHOIS details identify this domain as belonging to the Amerika gang: The link goes through a legitimate but hacked site to land on a malicious payload at /news/institutions-trusted.php ( report here) hosted on the following IPs:Ĩ3.212.110.172 (Greek Research and Technology Network, Greece) It'll just confuse the computer that sent it and you won't get a response.Ĭopyright © 2013 PayPal, Inc. Reporting it is important because it helps us prevent fraudsters from stealing your information. If you didn't requested help with your password, let us know immediately. To get back into your PayPal account, you'll have to create a new password.Ĭlick the link below to open a secure browser window.Ĭonfirm that you're the owner of the account, and then follow the instructions.
Your account will stay on hold untill password reset. This fake PayPal spam leads to malware on :įrom: Requested Reset of Yoyr PayPal Password Automated analysis indicates that it calls home to:ĩ5.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)Ĥ6.19.143.151 (Private Layer Inc, Switzerland)ġ95.130.118.92 (University Of Ioannina, Greece)Īlthough the automated tools indicate that no files were dropped, the payload for this is almost definitely Dridex. This is then saved as %TEMP%\sdfsdffff.exe which has a VirusTotal detection rate of just 1/56. Those servers are almost definitely malicious in other ways, the IPs are allocated to:ĩ3.158.117.163 (Aitos Svenska / Port80, Sweden)
I have seen three different malicious attachments with low detection rates which appear to contain one of two macros which download a further component from one of the following locations: Subject: Scanned document from Epson Scanner Subject: Scanned document from Brother Scanner įrom: Manuel Velez 2 April 2015 at 12:04 Use Microsoft Office Word of Microsoft Corporation to view the document.įrom: Sterling Hoffman 2 April 2015 at 11:00 Subject: Scanned document from HP Scanner Īttached file is scanned document in DOC format. if you are reading this then you are probably not the sort of person who would open an unsolicited message of this sort. Instead of containing a scanned document they have a malicious attachment. These fake scanner emails follow a well-established pattern. The payload is likely to be the Dridex banking trojan.
That VirusTotal report plus this Hybrid Analysis report and Malwr report indicate malicious traffic to the following IPs:ġ57.252.245.32 (Trinity College Hartford, US)Ĩ9.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)ġ22.151.73.216 (M2 Telecommunications, Australia)ģ7.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)ġ95.251.145.79 (University Of The Aegean, Greece) This binary has a VirusTotal detection rate of 5/54. The attachment is named 988271023-PRCL.doc and so far I have come across three different versions of this (VirusTotal results ), containing a malicious macro like this which according to these Hybrid Analysis reports downloads a malware binary from the following locations: You can find any information about the procedure and conditions of parcel keeping in the nearest post office. If you don't receive a package within 30 working days UKMail will charge you for it's keeping. Guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again. Where legally permissible the liability of UKMail for breach of such condition,
Where the law prevents such exclusion and implies conditions and warranties into this contract, UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service. Please view the information about your parcel, print it and go to the post office to receive your package. Your parcel has not been delivered to your address November 23, 2015, because nobody was at home. Subject: UKMail 988271023 tracking information This fake delivery email does not come from UKMail but is instead a simple forgery with a malicious attachment: NOTE: as of 22nd January 2016, a new version of this spam email is in circulation, described here.