MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “DHL Delivery”.
This email is send from the spoofed address “DHL Express UK <**.**@***.**>” and has the following body:
YOUR SHIPMENT IS ON ITS WAY
You have changed or confirmed the delivery details for your DHL EXPRESS shipment with waybill number 0350144045.
The scheduled delivery is Fri Apr 07 2017 before End of Day.
Thank you for using On Demand Delivery.
DHL Express – Excellence. Simply delivered.
The embedded URL leads to the host hxxp://eisenmenger.us/photoarchive/wp-content/themes/Anderson-twentytwelve-child/dhl___status__fkab42676zpXt/ that will download the file named: dhl___status__8029174876_____Fri___Apr___07___2017.js.