Fake booking.com reservation confirmation with attached ZIP file contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Reservation for Thursday, June 12, 2014 BN_4914940” that remains almost undetected by anti virus scanners (at the time of writing only 2 of the 51 AV engines did detect the trojan at Virus Total).

This email is send from the spoofed address “Booking.com” and has the following body:

Thanks! Your reservation is now confirmed.

BOOKING.COM online hotel reservations
Booking number: 4914940
PIN Code: 6287
Email: ****@****.***
Your reservation: 1 night, 1 room
Check in: Thursday, June 12, 2014
(2:00 pm – 00:00 am)
Check out: Friday, June 13, 2014
(until 12:00 pm)
Superior Double Room $1,300.68
VAT (20%) included $449.92
Total Price $1,750.60

Screenshot of the email:

The attached ZIP file has the name BN_4914940.zip and contains the 95 kB large file report_92da3ec16736842.pdf.exe.

Please note that the numbers in the subject, message or attachment may vary with each email.

The trojan is known as PWSZbot-FXE!3B53E958ECF1  or TrojanSpy.Zbot.herw.

At the time of writing, 2 of the 51 AV engines did detect the trojan at Virus Total so be cautions with this file or the email. MX Lab recommends not top download/open the attached ZIP file in any way because virus definitions are not yet distributed accordingly. Remove the email immediately from your computer.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 25e438be8daffc316e5d48e0efdf325ce194db90608182ebc122d77590520110.