Attached file to fake email “Payroll invoice” from ADP contains trojan

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “Payroll invoice”

This email is send from the spoofed address “” and has the following body:

A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.

Year:     13
Week No:     08
Payroll No:     1

Please open attached file to view and check following payrol

This email was generated by an automated notification system. If you have any questions regarding the invoice or you have misplaced your
MyTotalSource login information, please contact your Payroll Service Representative. Please do not reply to the email directly.
© 2013 Automatic Data Processing, Inc.

The attached ZIP file has the name and contains the 137 kB large file invoice_2034837510_293mw.pdf.exe.

The trojan is known as Spyware/Win32.Zbot, Generic9_c.BJAJ, BackDoor.Maxplus.13119, Win32.Troj.Generic.a.(kcloud), Backdoor.Win32.ZAccess.elaw, Trojan:Win32/Sirefef.P and others.

At the time of writing, 24 of the 48 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 0e12d76d30e2fbc20ce938d6bdafecfbbe232f55156ac3bed910eb702b06bdf0.

4 thoughts on “Attached file to fake email “Payroll invoice” from ADP contains trojan

  1. My inbox has been recieving 100s of returns as of yesterday. I ran a full scan with McAfee, Adware and Malware, all of them with “0” results!! This morning I recieved 48. What do I do now?

Comments are closed.