Amazon orders and email confirmation leads to PDF malware

Since last week, MX Lab intercepts emails with requests to confirm your email address or orders processed by Amazon. This campaign has been received in quite large quantities and we have been investigating what they are about.

At first we thought they where phishing emails but so far we haven’t been able to establish connection with the sites that are mentioned in the URLs included in the message.

This is the latest screenshot of an email requesting confirmation of the email. The lay out is very well done as you can see. The Amazon images are embedded in the message through an image tag and they come directly from servers from Amazon.

But, the links in the email as obfuscated and point to web sites like:


Which redirects in this case to:


Following the URL will lead you to short-lived web sites hosting malicious PDF files. The PDF file appears to be offered in an HTML iframe tag so that it can be launched with no interference.