Fake email USPS Ship notification contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Ship Notification”.

This email is send from the spoofed address “USPS.com” and has the following body:


Our courier couldnt make the delivery of parcel to you at June 17 2014.
Print label and show it in the nearest post office.

Download attach . Print a Shipping Label NOW

USPS | Copyright 2014 USPS. All Rights Reserved.

Screenshot of the email:

The attached ZIP file has the name notification.zip and contains the 67 kB large file Notification_72384792387498237989237498237498.exe.

The trojan is known as Win32:Malware-gen, HW32.CDB.C647, W32/Trojan.BIFV-0857, W32/Trojan3.JCT or Trojan-Spy.Agent.

At the time of writing, 5 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 2b920fe150ecbadc2d7befa45bc9a30e74c0e36269facfca745127d55b338977.