Fake email “Failed delivery for package #0231764” from Canada Post contains URLs to malicious file

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Failed delivery for package #0231764” from Canada Post regarding a failed attempt to deliver an item.

This email is send from the spoofed address “Canada Post <tracking@canadapost.com>” and has the following body:

Dear customer,

We attempted to deliver your item on Jul 2nd, 2014 , 05:44 AM.
The delivery attempt failed because no person was present at the shipping address, so this notification has been automatically sent.
You may arrange redelivery by visiting the nearest Canada Post office with the printed shipping inboice mentioned below.

If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
TRACKING Number: RT000961269SG
Expected Delivery Date: JUL 2nd, 2014
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent

The shipping invoice can be viewed online, by visiting:

To download the shipping invoice, visit the following link:

Thank you,
© 2014 Canada Post Corporation

*** This is an automatically generated email, please do not reply ***


The first embedded URl hxxp://documents-signature.com/pdf_canpost_RT000961269SG.pdf leads to a website that shows a PDF file with a quite funny image (no offense intended):

The second embedded URL hxxp://documents-signature.com/pdf_canpost_RT000961269SG.zip leads to a malicious file pdf_canpost_RT000961269SG.zip  that contains the file pdf_canpost_RT000961269SG.pif.

The trojan is known as Backdoor.Bot or HEUR/Malware.QVM07.Gen.

At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: e0b8d24becb65d040b9e617c31acf6926d44343807bbac2423b28beab855ba75.

One thought on “Fake email “Failed delivery for package #0231764” from Canada Post contains URLs to malicious file

Comments are closed.