New fake Air Canada emails with ticket and flight confirmation leads to malicious ZIP file

MX Lab,, started to intercept a new trojan distribution campaign by email with the subjects like:

Order #70189189901 successfully – Ticket and flight details
Order #70189101701 paid – E-ticket and flight details

This email is send from the spoofed address  “” <>” and has the following body:

Dear client,

Your order has been successfully processed and your credit card charged.

FLIGHT – QB70189101701CA
DATE / TIME – Dec 4th 2014, 15:30

Your ticket can be downloaded and printed from the following URL :

For information regarding your order, contact us by visiting our website : hxxp://
Thank you for choosing Air Canada

The embedded URL does not points the browser to the real web site address but to hxxp:// Once this file is extracted you will have the 209 kB large file pdf_ticket_QB70189189901CA.pif.

The trojan is known as Trojan.MalPack or a variant of Win32/Injector.BQPL.

This trojan has the ability to fingerprint the system, start a server listening on a local machine, create Zeus mutexes, installs itself to autorun, modifies local firewall and policies.

At the time of writing, 2 of the 52 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: 8aba09320c5a5844ceb64ef06624eda221578667a1fa59feb3b2c94aabae96fb