MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your Amazon.co.uk order has dispatched (#203-2083868-0173124)”.
This email is send from the spoofed address “”Amazon.co.uk” <firstname.lastname@example.org>” and has the following body:
Greetings from Amazon.co.uk,
We are writing to let you know that the following item has been sent using Royal Mail.
For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account
Your order #203-2083868-0173124 (received November 5, 2014)
Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us. O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at: http://www.amazon.co.uk/returns-policy/
Further, under the United Kingdom’s Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days, beginning with the day after the day on whi=
ch the item is delivered. This applies to all of our products. However, we =
regret that we cannot accept cancellations of contracts for the purchase of=
video, DVD, audio, video games and software products where the item has be=
en unsealed. Please note that we are unable to accept cancellation of, or r=
eturns for, digital items once downloading has commenced. Otherwise, we can=
accept returns of complete product, which is unused and in an “as new” con=
Our Returns Support Centre will guide you through our Returns Policy and, w=
here relevant, provide you with a printable personalised return label. Ple=
ase go to http://www.amazon.co.uk/returns-support to use our Returns Suppor=
To cancel this contract, please pack the relevant item securely, attach you=
r personalised return label and send it to us with the delivery slip so tha=
t we receive it within 7 working days after the day of the date that the it=
em was delivered to you or, in the case of large items delivered by our spe=
cialist couriers, contact Amazon.co.uk customer services using the link bel=
ow within 7 working days after the date that the item was delivered to you =
to discuss the return.
For your protection, where you are returning an item to us, we recommend th=
at you use a recorded-delivery service. Please note that you will be respon=
sible for the costs of returning the goods to us unless we delivered the it=
em to you in error or the item is faulty. If we do not receive the item bac=
k from you, we may arrange for collection of the item from your residence a=
t your cost. You should be aware that, once we begin the delivery process, =
you will not be able to cancel any contract you have with us for services c=
arried out by us (e.g. gift wrapping).
Please also note that you will be responsible for the costs of collection i=
n the event that our specialist courier service collect a large item from y=
ou to return to us.
As soon as we receive notice of your cancellation of this order, we will re=
fund the relevant part of the purchase price for that item.=20
Should you have any questions, feel free to visit our online Help Desk at:=
If you’ve explored the above links but still need to get in touch with us, =
you will find more contact details at the online Help Desk.=20
Note: this e-mail was sent from a notification-only e-mail address that can=
not accept incoming e-mail. Please do not reply to this message.=20
Thank you for shopping at Amazon.co.uk
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
The attached file has the name Mail Attachment.doc and is approx. 230 kB large file.
The malicious Word file is detected as W97M/Downloader.t, W97M.DownLoader.110 or W97M.Dropper.Obfus.
At the time of writing, 4 of the 54 AV engines did detect the malicious file at Virus Total.
Use the Virus Total permalink for more detailed information.