MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Delivery failure , July 28, 2014 BN_1479139”.
This email is send from the spoofed address “UKMail Express <email@example.com>” and has the following body:
An urgent service package has come to the local post office. Delivery was rescheduled because our courier was not able to deliver the package [RECEIVER NOT PRESENT].
You can find more information including contact details regarding your package in the attached file.
Copyright © 2014 UKMail Group plc
The attached ZIP file has the name BN_1479139.zip and contains the folder with name report_form2_28-07-2014.pdf. Inside this folder the 115 kB large file report_form2_28-07-2014.pdf.scr can be found.
The trojan is known as Inject2.APMO, TR/Crypt.Xpack.94374, Win32/TrojanDownloader.Agent.SBP, Trojan.Win32.Inject.ohic, Troj/DwnLdr-LTD or Win32:Trojan-gen.
At the time of writing, 29 of the 54 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink for more detailed information.