Emails with subject “DHL Delivery Status” and attachment “DHL_Report_xxx.zip” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “DHL Delivery Status #E727D5151D”.

This email is send from the spoofed address “DHL Delivery Status <hhnjnuvph@windstream.net>” and has the following body:

Dear customer,

We attempted to deliver your item at 10:10 AM on Nov 20th, 2013.

The delivery attempt failed because nobody was present at the shipping address, so this notify has been automatically sent.

If the parcel is not scheduled for redelivery or picked up within 72 hours, it will be returned to the sender.

Label Number: E727D5151D
Expected Delivery Date: Nov 20th, 2013

Class: Package Services

Service(s): Delivery Confirmation
Status: eNotification sent

Read the enclosed file for details.

Thank you,
(c) 2013 Copyright DHL INC 2013. All Rights Reserved.

*** This is an automatically generated email, please do not reply ***

The attached ZIP file has the name DHL_Report-E727D5151D.zip and contains the 73 kB large file DHL_Delivery_report_ID98432934__lots_of_random_numbers__56834.pdf.exe.

The trojan is known as Virus.Win32.Heur.p or UDS:DangerousObject.Multi.Generic.

At the time of writing, 2 of the 47 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 287148fcdb763be450498e3891e3ab4b09ec646077e877bcd80e8d8ff548cc22

2 thoughts on “Emails with subject “DHL Delivery Status” and attachment “DHL_Report_xxx.zip” contains trojan

  1. I received one of these emails yesterday and I did open the attachement on my ipad. Will the virus affect the ipad as it would a computer and if so could you advise the best course of action.

    Thank you,

    Terry Bailey

    • Ipads are not supceptible to Windows virus. Even if you open an attached file. You are 99.99% safer opening email attachments on an ipad than on a Windows pc.

Comments are closed.