Threat Outbreak Alert: Fake Product Invoice Notification Email Messages on September 10, 2014

2014-02-04T19:43:57
ID CISCO-THREAT-32697
Type ciscothreats
Reporter Cisco
Modified 2014-09-11T13:23:51

Description

Medium

Alert ID:

32697

First Published:

2014 February 4 19:43 GMT

Last Updated:

2014 September 11 13:23 GMT

Version:

62

Summary

  • Cisco Security has detected significant activity related to spam email messages that claim to contain an invoice notification for the recipient. The text in the email message attempts to convince the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID4626KVR) may contain the following files:

> Invoice_0029552.zip
Invoice_232014.exe _Invoice
_invoice.zip

invoice_c31fa4469d671ae601_7686517af4e59a.pdf.exe
invoice_192383572945734984_879234as.pdf.exe
Profoma Invoice.zip
product sample.exe
DE DE Forderung der abgewiesenen Lastschrift.zip
DE DE Anwaltschaft abgewiesene Rechnung.com
Karl-Eugen Meyle Rechnung der abgewiesenen Lastschrift.zip
Karl-Eugen Meyle Inkasso Buro stornierte Rechnung.com
invoice 2014.zip
invoice 2014.scr
Invoice27.pdf.zip
Invoice27.pdf.scr
invoice_11222259844984df9234481_23948ue.pdf.exe
P2111932.exe
Invoice02132014.zip
Invoice02132014.scr
parkin list invoice.zip
CRD invoice.scr
invoice_01983471987492358_92834xj.pdf.exe
Swift tt.zip
Swift tt.scr
new_P0_invoice.zip
new_P0_invoice.scr

invoice_72389413841124234_81412so.pdf.exe
INVOICE AND BL (2).zip
INVOICE AND BL.exe
Invoice_0348270.zip
Invoice_06032014.exe
Commercial invoice.zip
Commercial invoice.scr
invoice_82983592230496798523_92382394ee.pdf.exe
image.scr
Proforma Invoice.zip
Proforma Invoice.exe
invoice_834952950236823385_235829429ff.pdf.exe

swift copy.zip
swift copy.scr
Invoice_6158936.zip
Invoice_03112014.scr
invoiceID-EXYXNB4Q65DGLDDLM2SCL4W079.zip
invoiceID-EXYXNB4Q65DGLDDLM2SCL4W079.PDF______.scr

100199.zip
INVOICE.exe
Invoice_Products.zip
Invoice_Products.scr
Profoma Invoice.exe
Invoice_0053909.zip
Invoice_040314.scr

Invoice_Order-9891.zip
Please_print_this_invoice.exe
Invoice_Order-6324.zip
CDS_INVOICE_168027.PDF.zip
CDS_INVOICE_168027.exe
Invoice (1).zip
Invoice.scr
DOC_0011873892118200118738921182-pdf.exe
Invoice 125943 March 2014.zip
Inoice March 2014.exe
Inward_tt.zip
March invoice 3187.zip
March invoice 8912.exe
TT SWIFT.zip
TT SWIFT.exe
Center Abo-Rechnung 23.04.2014 DE DE.zip
DE DE Center Abo-Abrechnung.com
invoice_9018.1966.6985.exe
Invoice 974175 March 2014.zip
Invoice 288910 March 2014.exe

Booking number 584887897.zip
Booking confirmation.scr
UPS_Invoice_3841260195.zip
UPS Invoice.scr

TT SWIFT COPY.pdf.rar
TT SWIFT COPY.pdf.exe
Invoice..zip
emailinvoice.070995.zip
emailinvoice.899191.exe
Swift 05052014.zip
Swift 05052014.exe
SwiftCopySlip.zip
Inv_4783.exe
Swift copy.exe
New Order.exe

Rechnung.zip
Rechnung.Pdf______.exe
Invoice_8382839.zip
Invoice_22052014.scr
swiftcopy.zip
swiftcopy.exe
Payment notification.zip
Payment Invoice.exe
INVOICE & PACKAGING LIST.exe
INVOICE & PACKAGING LIST.zip
TT swift copy for order#108991.exe
TT swift copy for order#108991.zip

invoice_9706253.zip
invoice_32990192.exe
invoice_1463874.zip
invoice_32990192.exe
Ticket_confirmation.zip
Ticket_confirmation.exe

Swift MT 103.zip
Swift MT 103.exe
Rechnung_46586BGCGCG__4658634221.zip
Rechnung_46586BGCGCG__4658634221.exe
swift cop of payment.zip
victor (2).exe
Payment Confirmation.zip
payment confirmation.exe

Crypted.exe
Invoice Payment.zip
SKMBT..exe
2014_06rechnung_32694824254125_sign.zip
Rechnung_24_14_06_198630274520031_telekom_deutschland_GmbH.exe
MT103 Swift Transfer.zip
MT103 Swift Transfer.exe
PO_2506.exe
tt swift copy.zip
tt swift copy.exe
Bill Of Lading.zip
Confirmation (2).zip
Confirmation.scr
Invoice-Parkinglist-xls.zip
swift.exe

Proforma Invoice.scr
Transfer Copy_pdf.zip
Transfer Copy_pdf.exe

MT103 SWIFT (1).zip
MT103 SWIFT.scr
e-Transfer_Report.zip
e-Transfer_Report.scr

invoice_28.07.zip
invoice_28.07.doc.exe
Payment_Invoice.zip
Payment_Slip.scr
Order 3977278.zip
CDS INVOICE 8831001.exe
WireTransfer.zip
WireTransfer.scr
Swift 06082014.zip
Swift 06082014.exe

invoice 4058366.zip
invoice 882931.exe

9040082_26.zip
Invoice_9640371_34.exe
INVOICE 679965.zip
INVOICE 679965.exe

Assunta Lauro Ausgleich nicht gedeckten Lastschrift Ihrer Bestellung Paypal vom 19.08.2014.zip
Rechnung 19.08.2014 - Inkasso Paypal GmbH.com
Payment invoice.zip
Payment invoice.scr

0043 - 7195922.zip
Invoice No. 993 - 188239.exe
Invoice_9193173.zip
Invoice_08262014.exe
invoice_478511269.zip
invoice_478511269.exe
Klaus E. Kappler nicht gedeckten Zahlung Ihrer Bestellung Ebay vom 26.08.2014.zip
Forderung 26.08.2014 - Abrechnung Ebay AG.com
REVISED INVOICE.zip
REVISED INVOICE.scr
Sign Invoice.zip
Signed Invoice.docx.exe
AutoInvoice.zip
AutoInvoice.scr

INVOICE NUMBER #80077367 DOC .zip
INVOICE NUMBER #80077367 DOC .com

The Invoice_232014.exe file in the_ Invoice_0029552.zip_ attachment has a file size of 18,944 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x798D5F96F695CEA8A670C4FA699ADBE5

The invoice_c31fa4469d671ae601_7686517af4e59a.pdf.exe file in the invoice.zip attachment has a file size of 110,085 bytes. The MD5 checksum is the following string: 0xC31FA4469D671AE6017686517AF4E59A

The invoice_192383572945734984_879234as.pdf.exe file in the invoice.zip attachment has a file size of 112,288 bytes. The MD5 checksum is the following string: 0x0DA5FBDB8FBF8F7133C008AD089CD774

The product sample.exe file in the Profoma Invoice.zip attachment has a file size of 977,791 bytes. The MD5 checksum is the following string: 0x596468C9586F88796D502A60E43A547D

The DE DE Anwaltschaft abgewiesene Rechnung.com file in the DE DE Forderung der abgewiesenen Lastschrift.zip attachment has a file size of 41,157 bytes. The MD5 checksum is the following string: 0xBBD57E2FCAB8E699355B33F004BD742A

The Karl-Eugen Meyle Inkasso Buro stornierte Rechnung.com file in the Karl-Eugen Meyle Rechnung der abgewiesenen Lastschrift.zip attachment has a file size of 31,232 bytes. The MD5 checksum is the following string: 0x8786233784F537F6D5FEE26DA6E74C46

The invoice 2014.scr file in the invoice 2014.zip attachment has a file size of 1,110,343 bytes. The MD5 checksum is the following string: 0x7635E023862B5B48507CA7566B89E318

The Invoice27.pdf.scr file in the Invoice27.pdf.zip attachment has a file size of 352,256 bytes. The MD5 checksum is the following string: 0x56146E11B08B6322D01B5B7E283BB937

The invoice_11222259844984df9234481_23948ue.pdf.exe file in the invoice.zip attachment has a file size of 119,940 bytes. The MD5 checksum is the following string: 0xA29D8708B67AA525DB9ED1EC2254467C

The P2111932.exe file in the invoice.zip attachment has a file size of 940,358 bytes. The MD5 checksum is the following string: 0x3ED03D0F282336F228E2474E5695CDEB

The Invoice02132014.scr file in the Invoice02132014.zip attachment has a file size of 16,384 bytes. The MD5 checksum is the following string: 0x302524C7102D00D480BC52B1DC59F7DF

The CRD invoice.scr _file in the _parkin list invoice.zip attachment has a file size of 301,729 bytes. The MD5 checksum is the following string: 0x6FD70EE9A946C744BB0F8BEBD60D9EF8

The invoice_01983471987492358_92834xj.pdf.exe file in the invoice.zip attachment has a file size of 90,910 bytes. The MD5 checksum is the following string: 0x1A206BF5156357D3B7928330594DD322

The_ Swift tt.scr_ file in the Swift tt.zip attachment has a file size of 991,157 bytes. The MD5 checksum is the following string: 0x3814C042B1E895CE8BAB7C0A935E4790

The_ new_P0_invoice.scr_ file in the new_P0_invoice.zip attachment has a file size of 215,865 bytes. The MD5 checksum is the following string: 0xE76436873029ECC00E6EBE0148EBDCBE

The invoice_72389413841124234_81412so.pdf.exe file in the invoice.zip attachment has a file size of 98,040 bytes. The MD5 checksum is the following string: 0xEC154129F004BE3DF27D6E0996407ECB

The INVOICE AND BL.exe file in the INVOICE AND BL (2).zip attachment has a file size of 268,288 bytes. The MD5 checksum is the following string: 0xD0210A18883D089A88B1BA6494E69B61

The Invoice_06032014.exe file in the Invoice_0348270.zip attachment has a file size of 18,944 bytes. The MD5 checksum is the following string: 0xBE004D02DD97E63EAAC6D9E48713F846

The Commercial invoice.scr file in the Commercial invoice.zip attachment has a file size of 1,360,086 bytes. The MD5 checksum, is the following string: 0x009141D59496FA96236B747D7101B522

The invoice_82983592230496798523_92382394ee.pdf.exe file in the invoice.zip attachment has a file size of 137,526 bytes. The MD5 checksum, is the following string: 0x85AF460A3B2E95229CE06F5F747BEAE4

The image.scr file in the invoice.zip attachment has a file size of 258,048 bytes. The MD5 checksum, is the following string: 0xAA04D23EC9AE172897772BD3AC3A1B38

The Proforma Invoice.exe file in the Proforma Invoice.zip attachment has a file size of 439,296 bytes. The MD5 checksum, is the following string: 0x9804B8AA1A794FC2FE0B9012BAC11DC3

The invoice_834952950236823385_235829429ff.pdf.exe file in the invoice.zip attachment has a file size of 38,928 bytes. The MD5 checksum, is the following string: 0xCC1FFA3177D4E3ABF85EBEAB10B72FC7

The swift copy.scr file in the swift copy.zip attachment has a file size of 284,537 bytes. The MD5 checksum is the following string: 0x7C0D8D9EBB117A0EF6825A44D3EF57C5

The Invoice_03112014.scr file in the Invoice_6158936.zip attachment has a file size of 18,432 bytes. The MD5 checksum is the following string: 0xC0E5605A7A3EC0CE3DDB621B87FA0FAC

The_ invoiceID-EXYXNB4Q65DGLDDLM2SCL4W079.PDF_.scr file in the_ invoiceID-EXYXNB4Q65DGLDDLM2SCL4W079.zip_ attachment has a file size of 191,336 bytes. The MD5 checksum is the following string: 0xD009AE92CAE374C394766D46AABC6F35

The INVOICE.exe file in the 100199.zip attachment has a file size of 814,809 bytes. The MD5 checksum is the following string: 0x63BC9AA52E73F4E1FA1D0904F872B967

The Invoice_Products.scr file in the Invoice_Products.zip attachment has a file size of 1,228,800 bytes. The MD5 checksum is the following string: 0xC9AF9FE689559BEE9B5AA2A8D592BD7F

The Profoma Invoice.exe file in the Profoma Invoice.zip attachment has a file size of 1,481,991 bytes. The MD5 checksum is the following string: 0x6A53793796D107FFC29734AB1F4CFF7B

The Invoice_040314.scr file in the Invoice_0053909.zip attachment has a file size of 23,552 bytes. The MD5 checksum is the following string: 0xC941E2997DC2A1E39515D226E1830DB4

The Please_print_this_invoice.exe file in the Invoice_Order-9891.zip attachment has a file size of 163,840 bytes. The MD5 checksum is the following string: 0x299FB131B64268F6FBAB30F897F39009

A variant of the Please_print_this_invoice.exe file in the_ Invoice_Order-6324.zip_ attachment has a file size of 163,840 bytes. The MD5 checksum is the following string: 0xA826112BBBDE82B038B81A6B43CB4F55

The_ CDS_INVOICE_168027.exe_ file in the CDS_INVOICE_168027.PDF.zip attachment has a file size of 185,344 bytes. The MD5 checksum is the following string: 0x2EBE17BFF66111271345185C581F428E

The_ Invoice.scr_ file in the _Invoice (1).zip _attachment has a file size of 2,077,631 bytes. The MD5 checksum is the following string: 0x04C43C81A97EE37F02A0D5A576E8CB1B

The DOC_0011873892118200118738921182-pdf.exe file in the _invoice.zip _attachment has a file size of 1,324,720 bytes. The MD5 checksum is the following string: 0xFEEC0289F5E787175C4FBDBDA5A364CF

The Inoice March 2014.exe file in the _Invoice 125943 March 2014.zi_p attachment has a file size of 30,720 bytes. The MD5 checksum is the following string: 0x986A9BAAD0055371D9AD4EE3A17149E9

A variant of the_ invoice.exe_ file in the_ Inward_tt.zip _attachment has a file size of 1,202,791 bytes. The MD5 checksum is the following string: 0x5731BB6D5FA31DA68C253F21B9A32D5B

The_ March invoice 8912.exe_ file in the March invoice 3187.zip attachment has a file size of 14,336 bytes. The MD5 checksum is the following string: 0x67FA719CA9C20016B7D044D179BB2A2F

The _TT SWIFT.exe _file in the _TT SWIFT.zip _attachment has a file size of 973,919 bytes. The MD5 checksum is the following string: 0x5ED6575732EE0109322A63F1C8C03750

The_ DE DE Center Abo-Abrechnung.com_ in the _Center Abo-Rechnung 23.04.2014 DE DE.zip _file has a file size of 90,112 bytes.The MD5 checksum is the following string: 0x0361C2685BF799C04D796A6D18E1F075

The_ invoice_9018.1966.6985.exe in the invoice.zip _file has a file size of 66,560 bytes.The MD5 checksum is the following string: 0x4F10C9E945B15D1AFCB14671FC75E04D

The Invoice 288910 March 2014.exe in the Invoice 974175 March 2014.zip file has a file size of 14,848 bytes. The MD5 checksum is the following string: 0xCB4C9465CDC79E6020854F5BC43B533D

The Booking confirmation.scr file in the Booking number 584887897.zip attachment has a file size of 19,968 bytes. The MD5 checksum is the following string: 0xD1E1AFC0100587C2AB1C03B61EC69CE5

The UPS Invoice.scr file in the UPS_Invoice_3841260195.zip attachment has a file size of 26,624 bytes. The MD5 checksum is the following string: 0xEBA972CECE9ABA5DE251234262462CD4

The TT SWIFT COPY.pdf.exe file in the TT SWIFT COPY.pdf.rar attachment has a file size of 36,864 bytes. The MD5 checksum is the following string: 0x00E7920151B7D37183FAF6C6EE807257

A variant of the Invoice.scr file in the_ Invoice..zip_ attachment has a file size of 569,344 bytes. The MD5 checksum is the following string: 0xEF71C9BBFCE2136C89EC920BD2FFD0C7

The emailinvoice.899191.exe file in the _emailinvoice.070995.zip _attachment has a file size of 90,112 bytes. The MD5 checksum is the following string: 0x5C65882B927AEA3DDB58E16844B8205A

The Swift 05052014.exe file in the_ Swift 05052014.zip _attachment has a file size of 577,536 bytes. The MD5 checksum is the following string: 0x6DB3A401E6A3B85FD6EEDB2CE2191F33

The Inv_4783.exe file in the SwiftCopySlip.zip attachment has a file size of 1,032,704 bytes. The MD5 checksum is the following string: 0x12190E5519807C63E20F9345E1983076

A third variant of the Invoice.scr file in the _Invoice.zip _attachment has a file size of 1,041,408 bytes. The MD5 checksum is the following string: 0eae7e8e250aa66937d24d686e3548ed

The Swift copy.exe file in the _Swift copy.zip _attachment has a file size of 430,144 bytes. The MD5 checksum is the following string: 0xA0732E756975FB5AE48C05A7644FDEAF

The New Order.exe file in the invoice.zip attachment has a file size of 238,024 bytes. The MD5 checksum is the following string: 0xB822B0A9E9574DBC9C71A20DBF0952D1

The Rechnung.Pdf______.exe file in the Rechnung.zip attachment has a file size of 123,392 bytes. The MD5 checksum is the following string: 0x94A58B2232DCAA70C073F9A786100BB1

The_ Invoice_22052014.scr_ file in the Invoice_8382839.zip attachment has a file size of 14,336 bytes. The MD5 checksum is the following string: 0x6E22237373D7D66F1B05AEE1A8246A40

The swiftcopy.exe file in the swiftcopy.zip attachment has a file size of 637,952 bytes. The MD5 checksum is the following string: 0xF32F0610951E1EF8D442ED33778F082A

The Payment Invoice.exe file in the Payment notification.zip attachment has a file size of 487,368 bytes. The MD5 checksum is the following string: 0xC0C7DA66DAD16E535A9EDF9965EA7F57

The INVOICE & PACKAGING LIST.exe file in the INVOICE & PACKAGING LIST.zip attachment has a file size of 698,891 bytes. The MD5 checksum is the following string: 0xA562030E4A7F0C610947CBDE59524989

The TT swift copy for order#108991.exe file in the TT swift copy for order#108991.zip attachment has a file size of 274,432 bytes. The MD5 checksum is the following string: 0x9A9815F9A599ACEC4E7409741C9AAE0D

The invoice_32990192.exe file in the invoice_9706253.zip attachment has a file size of 130,560 bytes. The MD5 checksum is the following string: 0xB8A7201F36DBE1D5886E1B4D5D9B4B0F

The invoice_32990192.exe file in the invoice_1463874.zip attachment has a file size of 117,760 bytes. The MD5 checksum is the following string: 0xFC1D307B3A09229FE657770A42721421

The Ticket_confirmation.exe in the Ticket_confirmation.zip file has a file size of 86,528 bytes. The MD5 checksum is the following string: 0x8B548F5B0C59860DA64D09B35B550735

A third variant of the invoice.exe file in the INVOICE.zip attachment has a file size of 653,824 bytes. The MD5 checksum is the following string: 0xBF8628CB2B84B33A8A3D4254F65F0F34

The Swift MT 103.exe file in the Swift MT 103.zip attachment has a file size of 265,728 bytes. The MD5 checksum is the following string: 0x1DA59A1A4597683C8BD61BA52A98250A

The Rechnung_46586BGCGCG__4658634221.exe file in the Rechnung_46586BGCGCG__4658634221.zip attachment has an unknown file size. The MD5 checksum is not available.

The victor (2).exe file in the_ swift cop of payment.zip_ attachment has a file size of 410,723 bytes. The MD5 checksum is the following string: 0x7797220357C4DEDA2536AC1407AD1950

The payment confirmation.exe file in the Payment Confirmation.zip attachment has a file size of 258,560 bytes. The MD5 checksum is the following string: 0xDC8DF2833A36087D8627136C025C822F

The Crypted.exe file in the profoma invoice.zip attachment has a file size of 277,136 bytes. The MD5 checksum is the following string: 0x9803268F5ADBDE86705C64539A252445

The SKMBT..exe file in the Invoice Payment.zip attachment has a file size of 568,320 bytes. The MD5 checksum is the following string: 0x781602537483C864BAB24A6645B339E0

The Rechnung_24_14_06_198630274520031_telekom_deutschland_GmbH.exe file in the 2014_06rechnung_32694824254125_sign.zip attachment has a file size of 145,408 bytes. The MD5 checksum is the following string: 0xCABAA12619F1BB94F0698F7DD65496F1

The MT103 Swift Transfer.exe file in the MT103 Swift Transfer.zip attachment has a file size of 916,480 bytes. The MD5 checksum is the following string: 0x514874332B2128355E58BE914F634764

The PO_2506.exe file in the SwiftCopySlip.zip attachment has a file size of 916,480 bytes. The MD5 checksum is the following string: 0x3964FF455344161C660FF673142FDF72

The tt swift copy.exe file in the tt swift copy.zip attachment has a file size of 321,152 bytes. The MD5 checksum is the following string: 0x9539FB4E6C74142D353D8EB09ECA4E07

The payment confirmation.exe file in the Bill Of Lading.zip attachment has a file size of 277,632 bytes. The MD5 checksum is the following string: 0x8DD0874F836DF4D8A091138CAA58FFEE

The Confirmation.scr file in the Confirmation (2).zip attachment has a file size of 467,968 bytes. The MD5 checksum is the following string: 0x416CF1B6333DF4E528199FF02FFCA932

The swift.exe file in the Invoice-Parkinglist-xls.zip attachment has a file size of 312,992 bytes. The MD5 checksum is the following string: 0x8ADB8359DE50665E0C1B32879FF3D5C5

The Proforma Invoice.scr file in the Proforma Invoice.zip attachment has a file size of 1,026,048 bytes. The MD5 checksum is the following string: 0x886D85D91E6CC107757344546DF7BE39

The Transfer Copy_pdf.exe file in the Transfer Copy_pdf.zip attachment has a file size of 234,641 bytes. The MD5 checksum is the following string: 0x8F6D0A510942F40E7034692FE97BCCF7

The MT103 SWIFT.scr file in theMT103 SWIFT (1).zip attachment has a file size of 231,953 bytes. The MD5 checksum is the following string: 0xA4B5574858F451E38D1A9A0D758160A4

The e-Transfer_Report.scr file in the e-Transfer_Report.zip attachment has a file size of 24,576 bytes. The MD5 checksum is the following string: 0x38C5E2C8C40EC43F7B71325046608381

The invoice_28.07.doc.exe file in the invoice_28.07.zip attachment has a file size of 66,048 bytes. The MD5 checksum is the following string: 0x71AD502EF681A6A3C6CBF3CCD7D3D5B1

The Payment_Slip.scr file in the Payment_Invoice.zip attachment has a file size of 598,528 bytes. The MD5 checksum is the following string: 0xA9220AC9FDB05BFB388A471DEBEE4E5B

The CDS INVOICE 8831001.exe file in the Order 3977278.zip attachment has a file size of 81,920 bytes. The MD5 checksum is the following string: 0x3E1D4A74671B9DBDCEFE4DEFCB6071E7

The WireTransfer.scr file in the WireTransfer.zip attachment has a file size of 252,928 bytes. The MD5 checksum is the following string: 0x36241099B80268292F312AC759E26CF3

The_ Swift 06082014.exe_ file in the_ Swift 06082014.zip _attachment has a file size of 199,680 bytes. The MD5 checksum is the following string: 0x330B9B3C21204A3E7F2D39DCFD24AC53

The invoice 882931.exe file in the invoice 4058366.zip attachment has a file size of 77,824 bytes. The MD5 checksum is the following string: 0xB388F8EB12A63722DDFDBA1149540256

The Invoice_9640371_34.exe file in the 9040082_26.zip attachment has a file size of 69,632 bytes. The MD5 checksum, is the following string: 0x38056D95B841BA9A5BC9E961402EF982

The INVOICE 679965.exe file in the INVOICE 679965.zip attachment has a file size of 522,752 bytes. The MD5 checksum, is the following string: 0x57469ACE456F367A2F694793C7E73D80

The Rechnung 19.08.2014 - Inkasso Paypal GmbH.com file in the Assunta Lauro Ausgleich nicht gedeckten Lastschrift Ihrer Bestellung Paypal vom 19.08.2014.zip attachment has a file size of 86,016 bytes. The MD5 checksum is the following string: 0xEA847008F9AEDD7EB8B4CA3B45258549

A fourth variant of the invoice.exe file in the Invoice (1).zip attachment has a file size of 257,664 bytes. The MD5 checksum is the following string: 0xF6B105D29BB2D6550A04A55B41784740

The Payment invoice.scr _file in the _Payment invoice.zip attachment has a file size of 345,600 bytes. The MD5 checksum is the following string: 0xAC5C976E4890E8BE3400B546A790BE58

A fifth variant of the_ Invoice.exe_ file in the invoice.zip attachment has a file size of 221,250 bytes. The MD5 checksum is the following string: 0xD068990D383E3394AC795D62390F8596

The Invoice_08262014.exe file in the 0043 - 7195922.zip attachment has a file size of 65,536 bytes. The MD5 checksum is the following string: 65536 0xE948932FD9AE6BFEE58B279B4B119B7A

A variant of the invoice_01983471987492358_92834xj.pdf.exe file in the Invoice_9193173.zip attachment has a file size of 33,280 bytes. The MD5 checksum is the following string: 0xC4138D5074551D31733CD228A7393C30

The invoice_478511269.exe file in the invoice_478511269.zip attachment has a file size of 33,792 bytes. The MD5 checksum is the following string: 0xB064F8DA86DB1C091E623781AB464D8A

The Forderung 26.08.2014 - Abrechnung Ebay AG.com file in the Klaus E. Kappler nicht gedeckten Zahlung Ihrer Bestellung Ebay vom 26.08.2014.zip attachment has a file size of 328,704 bytes. The MD5 checksum is the following string: 0xD5715D86E3B68A86BE36EE8DD2225C8A

The REVISED INVOICE.scr _file in the _REVISED INVOICE.zip attachment has a file size of 201,216 bytes. The MD5 checksum is the following string: 0xB3FB014EA341F11E380E8D467A0889D4

The_ Signed Invoice.docx.exe_ file in the Sign Invoice.zip attachment has a file size of 832,000 bytes. The MD5 checksum is the following string: 0xE87DEE2680B05244ADC4336D4B6C20B0

The _AutoInvoice.scr _file in the _AutoInvoice.zip _attachment has a file size of 20,480 bytes. The MD5 checksum is the following string: 0xFBB4AFDDBD6DCDCD5E3BB622FF8922D7

A sixth variant of the INVOICE.exe file in the INVOICE.zip attachment has a file size of 949,248 bytes. The MD5 checksum is the following string: 0xF97825379655BD1D105ED49B6A5A2BCC

The INVOICE NUMBER #80077367 DOC .com file in the INVOICE NUMBER #80077367 DOC .zip attachment has a file size of 61,073 bytes. The MD5 checksum, is the following string: 0xEB0C130D33D21D6EAFBCFC8BF5491B44

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: RE: Invoice #0029552

Message Body:

Please see attached copy of the original invoice.

Or

> Subject: Payroll Invoice

Message Body:

Image removed by sender. ADP TotalSource
A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.
Year: 13
Week No:
08
Payroll No:
1
Please open attached file to view and check following payrol
Image removed by sender.
This email was generated by an automated notification system. If you have any questions regarding the invoice or you have misplaced your
MyTotalSource login information, please contact your Payroll Service Representative. Please do not reply to the email directly.
© 2013 Automatic Data Processing, Inc.
Image removed by sender.

Or

> Subject: Fwd: Payroll Invoice

Message Body:

You Have a New Fax Message
From: (605) 811-7616
Received: Wednesday, January 29, 2014 at 11:34 AM
Pages: 5
To view this message, please open the attachment
Thank you for using RingCentral.

Or

> Subject: Karl-Eugen Meyle Ihre Rechnung - Karl-Eugen Meyle Konto-Lastschrift konnte nicht durchgeführt werden 05.02.2014

Message Body:

Guten Tag Karl-Eugen Meyle,
bedauerlicherweise konnten wir bis heute keinen Eingang Ihrer Zahlung auf unsere Rechnung HJU/06285957 vom 03.01.2014 ersehen. Bestimmt handelt es sich dabei nur um ein Versehen.
Die angehängte Entgeltforderung beruht auf Ihrer Bestellung im Online-Shop unseren Auftraggeber. Dabei haben Sie bestätigt, die im Vertrag zugrunde liegenden AGBs gelesen und akzeptiert zu haben. Ihr Widerrufsrecht haben Sie gar nicht, nicht fristgerecht oder unwirksam ausgeübt.
Der Rechnungsbetrag der Bestellung entspricht 451,00 Euro. Sie haben bis zum 11.02.2014 die letzte Chance, die Gesamtsumme zu zahlen. Zuzüglich wird Ihnen eine Mahngebühr von 15,00 Euro und die Kosten unserer Beauftragung von 30,62 Euro berechnet.
Mit freundlichen Grüßen
Leon Wunderlich

Or

> Message Body:

Invoice Payment Reminder

Or

> Subject: Invoice

Message Body:

Hello
We have made the corrections for the Invoice
Please find attached the correct Invoice RH120 for your perusal

Or

> Subject: Important - Payment Overdue

Message Body:

Please find attached your invoices for the past months. Remit the payment by 13/02/2014 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Dolores Britt

Or

> Subject: Payroll Invoice

Message Body:

ADP TotalSource
A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.
Year: 13
Week No: 08
Payroll No: 1
Please open attached file to view and check following payrol

Or

> We have made the payment as required kindly check payment details to know we made the payment as required.
Please check the attachment regarding the t.t copy.
Please note, below is payment detail :
Last Inv. : USD 32,000.00
We already t.t the USD 32,000.00 for you at 26.2.2013.
Please Run download to view the copy & sign this statement then confirm back by email.
Thank you.
Regards
Huong ( Ms. )

Or

> Subject: Po/inoice. ZDPKKDGCKF

Message Body:

Sir,
Kindly find attached our PO and see if your company can fulfill our order. Please provide us your best price and estimated shipment schedule.
Your immediate reply will be appreciated.
Regards,
Al-Hashil. (purchasing)
Alltech General Trading Co. W.L.L.

Or

> Subject: FW: Invoice & B/L status

Message Body:

Dear Sir,
Your Order is ready for shipment, so I am sending you Invoice & Packing List As requested.
Pls find details in the attached Invoice & Packing List.
Thanks With Regards,

Or

> Subject: Unpaid Invoice #0348270

>
Message Body:

Please see attached copy of the original invoice (Invoice_0348270.zip).

Or

> Subject: Message copied from system quarantine

Message Body:

The attached message was forwarded from an IronPort system quarantine,
and may contain a virus, spam, or other prohibited content.
Please find the attached invoice and pls confirm bank account before making payment.
Regards

Or

> Subject: The Invoice Payment

Message Body:

Hi...We just receive a confirmation payment from our company, and here is
your payment invoice details,kindly check and confirm it now...Thanks
.

Or

> Subject: *BULK Re :Re :Re :Re :Re :Re :Proforma Invoice
*
Message Body:

Dear Sir,
Please find attached scan copy of proforma Invoice No. EXP-157/13 Dated 10-03-14 please kind add USD10214 with your next payment. Thanks in advance

Or

> Subject: Delivery Notification : GOCLXHK556GOCLXHK886

Message Body:

UPS
Package invoice delivery confirmation for GOCLXHK556GOCLXHK886
The shipping invoice can be downloaded from :
hxxp: //www.ups.com/WebTracking/track?loc=en_cbviewreceipt;jsessionid=GOCLXHK556GOCLXHK886;tracking=32C

Or

> Message Body:

Sent from Libero Mobile
Dear Sir/Madam
Upon customer's request, attached please find payment
e-Advice for your reference.
Yours faithfully

Or

> Message Body:

Dear sir,
We are interested in your product ,Kindly find our purchase order
attached and get back to us with your quotation.
Thanks & Regards

Or

> Subject: INVOICE

Message Body:

Hello Sir,
Please find the attached our invoice for the new order.
And inform us when the product will be ready for shippment.
Best Regards

Or

> Subject: March Invoice

Message Body:

Please find attached your March invoice, we now have the facility to email invoices, but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 107350 Account No 56095940.

Or

> Subject: Fwd: Vancouver Bullion & Currency Exchange

Message Body:

Greetings,
we sorry for service delay delivery, we encountered network connectivity problem yesterday, that is why we couldn't fellow up with an instruction from our customer, who directed us to send you a payment slip that was favoured on your account. kindly view the attachment and confirm with us as soon as possible.

Or

> Subject: Fwd: Zahlung fehlgeschlagen.

Message Body:

Hallo,
Sehr geehrter Kunde tut uns leid Ihnen mitteilen zu konnen, dass wir nicht die Gebuhr im letzten Quartal bezahlt werden erhalten. Anbei eine Rechnung, wenn Sie eine Panne mit dem oben gehabt haben.

Or

> Subject: FW: BL Draft no:753799574

Message Body:

Hello Sir,
We are enclosed here with the final invoice & packing list along with BL draft no:753799574 for your reference.
please acknowledge Invoice for the final confirmation.

Or

> Message Body:

Dear Sirs:
Have a nice day!
We have paid $112,000USD for the order#108991 to your account. Please check the attached TT swift copy for and correspond your account information.You will receive payment in your account after a few days.
Please revert to confirm receipt.
Best regards
Super tools est

Or

> Subject: RE: Payment for PO#APBST3767

Message Body:

Hi
According to our email, payment has been made.
Attached is the swift copy of payment
Please check and confirm the attached and kindly arrange our delivery soonest.
JOMA MACHINE COMPANY, Inc.

Or

> Subject: Re:Fw: Payment Transfer Confirmation.

Message Body:

**HSBC (www.hsbc.com)
About SecureMail Help
Secure Email from HSBC
Dear Sir/ Madam,
Please kindly download view payment confirmation slip attached below,This was sent for your company through one of your customers.
Regards
Monica..
About SecureMail
At HSBC, security is one of our highest priorities. Your message may contain sensitive or private information, therefore it has been secured by SecureMail.
To access your message you will need:
Connection to the internet and
Web browser to display the message
First-time users will also need to register with SecureMail. To register:
Open the enclosed attachment
Set up your SecureMail account
Verify and activate your account
By using SecureMail to access your message, you agree to our Privacy Statement and Terms and Conditions
Visit www.hsbc.com/secureemail for more information about SecureMail
Your Security Image
Personal Security Image
This image is to help prevent phishing. If you suspect that an email from HSBC is not genuine, please check with your HSBC representative by telephone before opening any attachments or links.
> Find out more on the SecureMail anti-phishing technology
Email security powered by Voltage IBE
Copyright HSBC Holdings plc 2010 - 2013. All rights reserved.
This email and any files transmitted are confidential and intended solely for the use of the individual or entity to whom they are addressed. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this email in error please delete it and all copies from your system and notify the sender immediately by return email.
Internet communications cannot be guaranteed to be timely, completely secure, error or virus-free. The sender does not accept liability for any errors or omissions.


This e-mail is confidential. It may also be legally privileged.
If you are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return e-mail.
Internet communications cannot be guaranteed to be timely,
secure, error or virus-free. The sender does not accept liability
for any errors or omissions.


"SAVE PAPER - THINK BEFORE YOU PRINT!"**

Or

> Subject: Re: Invoice Payment

Message Body:

Hello,
Here is the attached invoice for payment,
Please view and correspond all is correct so we can authorize the payment
Looking forward to hearing from you.
Thanks
Jose Carford
Head of account department
Account department
01183-350-082

Or

> Subject: Re: 3rd docs of JL.

Message Body:

Dear sir,
Sorry for late responds, Please kindly find attached invoice review
and reconfirm bank details Asap to proceed
Thanks
Regards

> > > >

Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Call

Send SMS

Add to Skype

You'll need Skype CreditFree via Skype

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    62 | Cisco Security has detected significant activity on September 10, 2014. | | 2014-September-11 13:23 GMT
    61 | Cisco Security has detected significant activity on September 6, 2014. | | 2014-September-08 14:30 GMT
    60 | Cisco Security has detected significant activity on August 29, 2014. | | 2014-September-02 14:42 GMT
    59 | Cisco Security has detected significant activity on August 27, 2014. | | 2014-August-28 13:03 GMT
    58 | Cisco Security has detected significant activity on August 27, 2014. | | 2014-August-27 14:19 GMT
    57 | Cisco Security has detected significant activity on August 24, 2014. | | 2014-August-26 12:32 GMT
    56 | Cisco Security has detected significant activity on August 21, 2014. | | 2014-August-25 13:23 GMT
    55 | Cisco Security has detected significant activity on August 21, 2014. | | 2014-August-22 11:53 GMT
    54 | Cisco Security has detected significant activity on August 15, 2014. | | 2014-August-18 13:51 GMT
    53 | Cisco Security has detected significant activity on August 10, 2014. | | 2014-August-11 15:24 GMT
    52 | Cisco Security has detected significant activity on August 6, 2014. | | 2014-August-08 12:54 GMT
    51 | Cisco Security has detected significant activity on August 6, 2014. | | 2014-August-07 12:47 GMT
    50 | Cisco Security has detected significant activity on August 4, 2014. | | 2014-August-05 12:54 GMT
    49 | Cisco Security has detected significant activity on July 28, 2014. | | 2014-July-29 12:21 GMT
    48 | Cisco Security has detected significant activity on July 24, 2014. | | 2014-July-24 12:01 GMT
    47 | Cisco Security has detected significant activity on July 9, 2014. | | 2014-July-11 12:22 GMT
    46 | Cisco Security has detected significant activity on July 8, 2014. | | 2014-July-09 13:03 GMT
    45 | Cisco Security has detected significant activity on July 7, 2014. | | 2014-July-08 12:56 GMT
    44 | Cisco Security has detected significant activity on July 3, 2014. | | 2014-July-07 12:47 GMT
    43 | Cisco Security has detected significant activity on June 28, 2014. | | 2014-July-01 14:36 GMT
    42 | Cisco Security has detected significant activity on June 24, 2014. | | 2014-June-25 13:05 GMT
    41 | Cisco Security has detected significant activity on June 15, 2014. | | 2014-June-16 18:23 GMT
    40 | Cisco Security has detected significant activity on June 9, 2014. | | 2014-June-11 12:56 GMT
    39 | Cisco Security has detected significant activity on June 9, 2014. | | 2014-June-09 20:29 GMT
    38 | Cisco Security has detected significant activity on June 5, 2014. | | 2014-June-09 12:06 GMT
    37 | Cisco Security has detected significant activity on June 4, 2014. | | 2014-June-05 12:52 GMT
    36 | Cisco Security has detected significant activity on June 3, 2014. | | 2014-June-04 13:52 GMT
    35 | Cisco Security has detected significant activity on June 1, 2014. | | 2014-June-03 12:07 GMT
    34 | Cisco Security has detected significant activity on May 29, 2014. | | 2014-May-30 13:36 GMT
    33 | Cisco Security has detected significant activity on May 28, 2014. | | 2014-May-29 12:57 GMT
    32 | Cisco Security has detected significant activity on May 25, 2014. | | 2014-May-28 12:54 GMT
    31 | Cisco Security has detected significant activity on May 23, 2014. | | 2014-May-27 12:12 GMT
    30 | Cisco Security has detected significant activity on May 20, 2014. | | 2014-May-21 11:51 GMT
    29 | Cisco Security has detected significant activity on May 14, 2014. | | 2014-May-15 12:22 GMT
    28 | Cisco Security has detected significant activity on May 12, 2014. | | 2014-May-13 11:42 GMT
    27 | Cisco Security has detected significant activity on May 11, 2014. | | 2014-May-12 11:41 GMT
    26 | Cisco Security has detected significant activity on May 7, 2014. | | 2014-May-08 13:18 GMT
    25 | Cisco Security has detected significant activity on April 30, 2014. | | 2014-May-01 11:47 GMT
    24 | Cisco Security has detected significant activity on April 28, 2014. | | 2014-April-29 13:37 GMT
    23 | Cisco Security has detected significant activity on April 22, 2014. | | 2014-April-24 12:26 GMT
    22 | Cisco Security has detected significant activity on April 22, 2014. | | 2014-April-23 14:17 GMT
    21 | Cisco Security has detected significant activity on April 17, 2014. | | 2014-April-22 13:11 GMT
    20 | Cisco Security has detected significant activity on April 17, 2014. | | 2014-April-18 12:53 GMT
    19 | Cisco Security has detected significant activity on April 15, 2014. | | 2014-April-16 11:23 GMT
    18 | Cisco Security has detected significant activity on April 14, 2014. | | 2014-April-15 12:51 GMT
    17 | Cisco Security has detected significant activity on April 10, 2014. | | 2014-April-14 13:17 GMT
    16 | Cisco Security has detected significant activity on April 2, 2014. | | 2014-April-04 13:39 GMT
    15 | Cisco Security has detected significant activity on March 17, 2014. | | 2014-March-18 12:39 GMT
    14 | Cisco Security has detected significant activity on March 13, 2014. | | 2014-March-14 12:46 GMT
    13 | Cisco Security has detected significant activity on March 11, 2014. | | 2014-March-12 13:00 GMT
    12 | Cisco Security has detected significant activity on March 10, 2014. | | 2014-March-11 12:50 GMT
    11 | Cisco Security has detected significant activity on March 7, 2014 . | | 2014-March-10 13:03 GMT
    10 | Cisco Security has detected significant activity on March 6, 2014. | | 2014-March-07 13:36 GMT
    9 | Cisco Security has detected significant activity on March 3, 2014. | | 2014-March-04 12:47 GMT
    8 | Cisco Security has detected significant activity on March 1, 2014. | | 2014-March-03 13:24 GMT
    7 | Cisco Security has detected significant activity on February 24, 2014. | | 2014-February-25 11:09 GMT
    6 | Cisco Security has detected significant activity on February 17, 2014. | | 2014-February-19 13:26 GMT
    5 | Cisco Security has detected significant activity on February 13, 2014. | | 2014-February-14 14:02 GMT
    4 | Cisco Security has detected significant activity on February 12, 2014. | | 2014-February-13 14:07 GMT
    3 | Cisco Security has detected significant activity on February 11, 2014. | | 2014-February-12 15:51 GMT
    2 | Cisco Security has detected significant activity on February 5, 2014. | | 2014-February-06 18:41 GMT
    1 | Cisco Security has detected significant activity on February 3, 2014. | | 2014-February-04 19:43 GMT
    Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products