Mailicious order.zip file attached to fake shipping confirmation of Amazon


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Shipping Confirmation : Order #002-3211457645-2311453865”.

This email is send from the spoofed address “Amazon.com” <newshdwy@acclus.com>”, the real SMTP from address is “amazonsupprt@acclus.com” and has the following body:

Hello ,
Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order report is attached here.

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

Screenshot of the email:

The attached ZIP file has the name order.zip and contains the 100 kB large file order_id_26348273894729847239.exe.

The trojan is known as Win32:Malware-gen, Trojan.Malware.Obscu.Gen.004, Spyware.Zbot.VXGen, Win32/Trojan.Multi.daf or PE:Trojan.Kryptik!1.9A50.

At the time of writing, 6 of the 51 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 64bbdf13bff5737f1de6e664ad9060e2d01517ec7f027e2b81464b579c71ce4a.