Two new trojan variants in DHL Delivery Status ID emails


MX Lab, http://www.mxlab.eu, started to intercept two new trojans in DHL Delivery Status ID emails.

DHL.Inc: Delivery Status ID

The latest and newest trojan is send from a spoofed address “”DHL.Inc” with some random generated email address, has the following subject “DHL.Inc: Delivery Status ID:073A771203” and has the following body:

Dear customer,

We attempted to deliver your item at 10:10 AM on Nov 24th, 2013.

The delivery attempt failed because nobody was present at the shipping address, so this notify has been automatically sent.

If the parcel is not scheduled for redelivery or picked up within 72 hours, it will be returned to the sender.

Label Number: 073A771203
Expected Delivery Date: Oct 24th, 2013

Class: Package Services

Service(s): Delivery Confirmation
Status: eNotification sent

Read the enclosed file for details.

Thank you,
(c) 2013 Copyright DHL Inc 2013. All Rights Reserved.

*** This is an automatically generated email, please do not reply ***

The attached ZIP file has the name DHL_Delivery_Report-073A771203.zip and contains the 151 kB large file Report_DHL_ID00000000000000032428___randon_munbers___5124.pdf.exe.

The trojan is known as UDS:DangerousObject.Multi.Generic or Mal/Generic-S.

At the time of writing, 2 of the 47 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: a81b7617d90b7c384fbcf4b0b2dfabe0f8427fa8d8cf29f9a8bf168ccf40ff4a.

DHL: Delivery Status ID

The older variant, which is detected by 12 of the 47 AV engines at Virus Total, is send from a spoofed address “”DHL Service” with some random generated email address, has the following subject “DHL: Delivery Status ID-CE33CCD7A3” and has the same body as the sample above.

The attached ZIP file has the name DHL_Report-CE33CCD7A3.zip and contains the 151 kB large file Delivery_report_DHL_8903___random_numbers___7238472.pdf.exe.

The trojan is known as PSW.Generic12.NRQ, W32/Trojan2.OADO, Trojan-Spy.Agent, Gen:Variant.Graftor.123413, Troj/Agent-AEXS or Trojan.Zbot.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 1e1281197e91ca7474627dec8e43401c7cb2387a7faaf9336fab769962baf100.

Note that the naming of the files and in the subject may vary with each email.