Attached zip file email “2015 PMQ agreement” contains trojan

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “2015 PMQ agreement”.

This email is send from the spoofed address “” and has the following body:


I have Not received your signed contract for the 2015 ad campaign. If you would please sign and return.

Thank you

Watch our 2015 PMQ Media Kit here:
PMQ Pizza Magazine
Linda Green / Co-Publisher
(662)234-5481 ext 121 /
cell (662)801-5495
PMQ Pizza Magazine Office: 662-234-5481 x121 / Fax: 662-234-0665
605 Edison Street, Oxford, MS 38655

Don’t forget to renew your subscription to the magazine at

The attached file contains the 12 kB large file American_Wholesale.exe.

The trojan is known as Trojan/Win32.Upatre, Upatre-FAAR!D8D4189A5364, Trojan.Agent/Gen-Downloader or Win32.Trojan.Downloader-pdf.Auto.

At the time of writing, 8 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: ae71d65a32303f1f129292420532be2c907d04a05c1aef9a429ecf487b578681