“DHL shipment failed to arrive” delivery failure notification by email contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “DHL shipment failed to arrive” or “DHL Private delivery services”.

This email is send from the spoofed address “DHL Service <service@dhl-globalmail.com>” and has the following body:

Dear ****@****.co.uk
Your parcel arrived at the post office on April 22. Our courier was unable to deliver the parcel to your adress.
To receive the parcel you should go to the nearest DHL office and take your mailing label with you.

The mailing label is attached. Please print it and show at the nearest DHL office to receive the parcel.

Thank you for using DHL Service!

Princes Court, 11
Wapping Ln, London,
E1W 2DA,United Kingdom
Toll Free: +44 20 7553 2200
Hours:Open today · 9:00 am – 7:00 pm


The attached ZIP file has the name DHL_label_56047.zip and contains the 142 kB large file Label_87698_id_2518023.pdf.exe.

The trojan is known as Trojan.Agent.ED, HEUR/Malware.QVM20.Gen, PE:Malware.XPACK-HIE/Heur!1.9C48, Troj/Zbot-IDQ or TROJ_GEN.F47V0423.

At the time of writing, 6 the 51 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: c2e20aae93b43ea9d1d66b3c6ab518dfb5dc8045ca10e099ba4f145a0066dc01.

5 thoughts on ““DHL shipment failed to arrive” delivery failure notification by email contains trojan

  1. Still not useful when you don’t set malwr.com to share. Researchers would like to get their hands on malware to test signatures and what not.

    • The file was already known at Malwr so I’m only linking to the analysis that has been done in the past. Researchers can login and click on the download button that is present under File details.

Comments are closed.