Threat Outbreak Alert RuleID13288: Email Messages Distributing Malicious Software on September 5, 2016

Medium

Alert ID:

46572

First Published:

2016 June 6 13:27 GMT

Last Updated:

2016 October 3 12:49 GMT

Version:

31

Summary

• Cisco Security has detected significant activity related to spam email messages distributing malicious software.

Email messages that are related to this threat (RuleID13288 and RuleID13288KVR) may contain the following files:

Name	Size in Bytes	MD5 Checksum
20160602370(docx).zip / 20160602111(docx).docx.exe
173,056
0x7F8E975DFB3D106767E16266AEAE6C17
Product request.gz / Product request PDF.exe	777,216
0x12D1564EFEE4327B501C9A3F26E181D7
PI_1173002-pdf.zip / PI_1173002-pdf.exe	609,792	0xC79BF2E71CDA8B5290DD870C78759DB4

MV SHIN_KENRYU_DOCS-PDF.gz /
MV SHIN_KENRYU_DOCS-PDF.exe | 373,760 | 0x78963B4B74FEF8EF14A3BFD8542D57DC
Bank Account.zip /.pdf.scr | 2,179,072 | 0x84ACA20BD00E706BAFFEA1230E7E07BA
AMEND_SALMASAN_scan_0002000_file0023_docx.zip /
AMEND_SALMASAN_scan_0002000_file0023_docx.jar | 135,773
| 0xEB5FA08E22B5759C01F89B0C1C3EA8BD

ENQUIRY_doc.ace / ENQUIRY_doc.exe | 432,128
| 0x9B441D368B125508F30316364F0D3834

PayrollMoneyOrder.pdf.zip / PayrollMoneyOrder.pdf .exe | 331,776
| 0x65A6A20BBB9447FBA01CD5A30BD3497B

Maersk Doc.zip / Maersk Doc.pif | 892,928
| 0x15667CBC40A9F4EFD4CF5C56BC97DC0C

Factuur_00839290202_1029103.zip /
Factuur_00839290202_1029103.pdf.exe | 812,591 | 0xEAE6EECD5230F051CCF1C7C40C6189D7

doc.029_AT90021_xls.zip / doc.029_AT90456_xls.xls.exe | 257,327
| 0xCD33F29D8735030E35F21C0B97CB1DBE

PO.pdf.zip / PO.pdf.exe | 564,400
| 0x804894A16E00AB198DF0702E213DFA04

invoice.zip / Doc00998700_PDF.zip / Doc00998700_PDF.exe | 670,208
| 0x5B13A72E08C07BC3FBD899E3253335E4

purchase order-pdf.arj / purchase order-pdf.exe | 367,616
| 0x272A306BCB050925F14EC3975646B07B

ORDER,pdf.zip / ORDER,pdf.exe | 430,592 | 0x6768CCA6AFEDD89637A7443EFC3C3623
Nota_Fiscal_Eletronica_21_06_2016_PDF.zip /
Nota_Fiscal_Eletronica_21_06_2016_PDF.exe | 994,304 | 0x2C6612C06948B1C7F4071A097F114DC3
REQUEST #78987 XLS.zip / REQUEST #78987 XLS.exe | 1,208,912 | 0x0B271C394EACF0FFF97E9F7DF5625AD6
sscan001 pdf (1).zip / sscan001 pdf.exe | 2,421,328 | 0x332D4CF2F807AFEF05B21B14C4A65A4E
Airway bill document.PDF.zip / Airway bill document.PDF.exe | 899,072 | 0x3791B6AEDDDC9A97821BEC247F13788E
INVOICE_11739902-pdf.ace / INVOICE_11739902-pd f.exe | 1,552,896
| 0x556CEF5EFBBE5E27530AB44B94E8F894

FJI114 1MEF3TQ.zip / 6.29.2016 5043 2076 0821.pdf.exe | 251,698
| 0x147278530B0233C24DB43F380A31EBEA

Airway_Bill_Copy_Reciept.PDF.zip / Airway_Bill_Copy_Reciept.PDF.exe | 1,215,976 | 0x341DCEC2FA0F45B25213FE4C82994A8D
INV_11168392-pdf.zip / INV_11168392-pdf.exe | 1,540,608 | 0x6E7017B0476611C63C4AAD95C1B67F6F
T T Copy PDF.zip / T T Copy PDF.exe | 781,800 | 0x033A4880D16656FB5FE86DFE8CE8095D
36GTL4GG.zip / D43SV50G-0005611.pdf.exe | 197,697 | 0xE5FB119C214D204D3FE6022E29279452
paymant copy.pdf.zip / paymant copy.pdf.exe | 838,144
| 0x3B1BC6513A88BA6F55A15F2D2E3283C1

TD2016 1-9, 48-24,XLS.zip / TD2016 1-9, 11-32,XLS.xls.exe | 236,544
| 0xD0B0ADA2C431B6C7343ACF96704D808E

CV2016Caroline.docx.zip / CV2016Caroline.docx.vbs | 10,330
| 0x0CEA9583473D42B2256594BC22BC062F

CV2016Thalita.docx.zip / CV2016Thalita.docx.vbs | 10,359
| 0xDEE140DD0EC183B75B14D9D014993FB3

id542326332363.zip / id654093871066.pdf.exe | 300,544 | 0x69BE1E62B00BA27CC4AE0E3B41720D41

Income Tax Challan pdf.zip / Income Tax Challan pdf.exe
| 785,896
| 0xAD9043F0EF5779BB8358B5D8DE85B04A

PAYMENT INSTRUCTION SHEET_PDF.zip /
PAYMENT INSTRUCTION SHEET_PDF.bat | 172,032 | 0x2E0FDEE94A3BFBF37C45DC55DCFA4EC3
paymen copy.pdf.zip / paymen copy.pdf.exe | 726,528 | 0xA1EC370E497AC73719D5CCFD68671B8D
Income Tax Challan pdf.zip / Income Tax Challan pdf.exe | Not Available | 0x9790EF54DB9BE70ACF077E6022E7BE90
PaulaCurriculum.docx.zip / PaulaCurriculum.docx.vbs | 2,164 | 0x9AD3D2EED13B01E87DFBA0B2DC66963D
PO.DRAFT20160800108_xlsx.zip / PO.DRAFT20160800108_xlsx.exe | 697,856
| 0x6ED452A97702CBD3BB5211A4F30C2848

DCIM0034.JPG P8609189.JPG .ZIP / DCIM0023.JPG P0250027.JPG .jpg.exe | 240,311 | 0x3B18E60D77DAFC8E566558E2A4EAE957
PO#2201000741.Pdf.zip / PO#2201000741.Pdf.scr | 376,832 | 0xC8111F576FFAA65D86CE7A809E3CE856
New Order-201688_INTERAL.zip / PO-201688_INTERAL pdf.exe | 156,672 | 0x24D5623E80BCFC584F490CCB03ACF592
kuronekoyamato.co.jp ID 788189100922.zip / kuronekoyamato.co.jp ID 342750012803.pdf.exe | 253,623 | 0x9AC9D7E8E6529825277F7ACDF2D69FE8
vsl_doc_010_08_pdf.gz / vsl_doc_010_08_pdf.exe | 99,744 | 0x1C3E50AFD045802F9E3E3A7994ED2102
PO_110.Pdf.zip / PO_110.Pdf.exe
| 526,848
| 0x9A31651F87000DA5F075DB168BE1715B

invoice PDF.zip / invoice PDF.exe | 531,968
| 0x3FC2AB63827DD459EE35796AD9379F5F

ID_432772449387 kuronekoyamato.co.jp.PDF.zip /
ID_430954762101 kuronekoyamato.co.jp.PDF.exe | 230,672
| 0xCAC0332E93D6F9DF9D99F7224020B405

Quotation pdf.tbz2 / Quotation pdf.exe | 503,808
| 0x40DE2CF08D3A186EB75639A55971F0FF

Halkbank,pdf.z / Halkbank,pdf.exe | 756,736
|

0x93B8BCF3A76260AE13CB6A3B425977BB

Sales-Contract#16.Doc.zip / Sales-Contract#16.Doc.exe | 452,096
| 0xD026677719D1D059B833A15CFA7B8204

Visualizar_Orcamento.xls.zip / Visualizar_Orcamento.xls.exe | 2,199,677 | 0x136A5078B2621B988CCC9F8784EB10B8
New Document PDF.zip / New Document PDF.exe | 530,944
| 0x7EBF67CBA412E639D909204A49EA7A1A

Signed Invoice & Deposit Slip.pdf.zip / Signed Invoice & Deposit Slip.pdf.scr | 356,352
| 0x328EB3527F0EC8063780098C3409C0A0

BANK_DETAILS-pdf.zip / BANK_DETAILS-pdf.exe
| 217,088
| 0x8040F064FB7CC6C9D060B17ED2559224

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: Kindly acknowledge the receipt

Message Body:

Dear,
We send our PO sheet No. 16243.
Please see attached files and proceed with this order.
And, please acknowledge us the receipt of this order and
let us know your shipping schedule.

Or

> Subject: Overdue Invoices

Message Body:

On behalf of my colleague,
Please find attached and do the needful.
Thanks and BR,

Or

> Subject: : **Overdue Invoice **
Message Body:

**Dear Sir,
Please here i resend the invoice,
please pay today and send us swift.
Regards
**

Or

> Message Body:

**Dear sirs,
Good day.
Please be advised our vsl M/V SHIN
KENRYU will call for discharging
with ETA 9th.JUNE if agw/wp.
We hereby nominate you good agent for her discharging.
Here attached cargo document for your
information, all cgo are liner outterm.
Here attached vsl stowage plan & vsl
particular for your reference.
Please advise below items.
1. Port congestion status.
2. PDA.
Kindly confirm your duly receipt by return.
Best regrds,
**

Or

> Subject: **Bank Account **
Message Body:

Hello,
My colleague is currently on vacation.
I am writing you regarding our new order.
Please confirm that the bank details in
attached invoice/PO are correct for payment
to your company. If not, please send the
correct bank details with corrected
invoice copy.

Or

> Subject: **AMENDMENT_AUB FOR MS. CHERRY **
Message Body:

Hi,
Kindly see attached and change beneficiary name for AUB.
Thank you.

Or

>
Subject: **TOP URGENT ENQUIRY **
Message Body:

Good day,
Please find below enquiry as per attached and do the needful.
Regards,

Or

>
Subject: payroll money order remitting errors

Message Body:

Hello,
The payroll money order cannot be processed.
I am attaching a scanned copy , please double check the account# and the transit#
Thank you,

Or

>
Subject: **BL DRAFT **
Message Body:

Dear Sir/Madam,
It is in the best interest of our client to inform you about this shipment delivery.
After reviewing your BL shipment number; we need to confirm, did your company change shipment address?
Please, attached is the draft documents to re-confirm your shipment address. We require your quick
confirmation and reply to this development Asap
Regards.

Or

> Subject: Uw factuur Internetdiensten

Message Body:

KPN Geachte, In de bijlage ontvangt u de factuur van uw KPN Internetdiensten. Bedrag en specificaties Deze maand is uw factuur in totaal € 738,25. De specificaties van de factuur vindt u in de bijlage. Overzicht van al uw facturen in MijnKPN Wilt u een overzicht van al uw facturen of uw persoonlijke instellingen bekijken?
Klik dan hier om naar MijnKPN te gaan. Dit is uw persoonlijke en beveiligde KPN omgeving. Uitleg van uw factuur Klik hier voor uitleg over uw factuur. Veelgestelde vragen Hebt u nog vragen over uw factuur en de betaling ervan, kijk dan op kpn.com/factuur.
Hier vindt u informatie over veelgestelde vragen zoals: de opbouw van de factuur,
de betalingsmogelijkheden, de factuur online bekijken en hoe u wijzigingen doorgeeft. Met vriendelijke groet,

Or

> Subject: PO FROM SWISS GARDEN KL

Message Body:

Dear Supplier,
Please refer to the attachment for Purchase Order.
Thank you

Or

>
Subject: **Sales & Collections,‏ sales invoice **
Message Body:

---

> Hi,
Find attached a copy of the sales invoice with which
to crosscheck your records. Also, we need to know if
we shall be using the same card/financial institution in
processing your refund or would you rather we mail in a check?
Thanks,

Or

> Subject: Purchase Order

Message Body:

**Dear Sir
Please see the purchase order attached for the items
requested and give us your confirmation on date of shipping.
Our representative in your Country has forwarded the Purchase
Order on the item’s, but there is no confirmation from your
side. We would also like to inquire about the following:

• Delivery time of the product
• Product warranty
• Minimum Order Quantity
• Payment terms available.
  Kindly quote your best price as per following material and revert.
  Thanks
  Best Regards,**

Or

> Subject: PURCHASE ORDER

Message Body:

Dear sir,
Please find the attached Order for the month of Jun.
Kindly Issue P/I Accordingly.
We need goods urgently for production.
Thank you and Regards,

Or

> Subject: Nota Fiscal Eletronica N : 10246516

Message Body:

**Segue anexo Nota Fiscal Eletronica Emitida na data de 21/06/2016,
A Mesma referesse a parcela mensal cobrada em debito automatico.
**

Or

> Subject: Request

Message Body:

Hello Sir/Madam,
Kindly find the attached picture sample for your
reference.Give us the best price .Your early
response will be much more appreciated.
Regards ,

Or

> Subject: **Statement **
Message Body:

Good Day,
She hasn’t been in the office for a while and there is
some open invoices that I need to collect!Please see
attached and let me know if you have any questions!
Sincerely,

Or

> Subject: Airway bill document

Message Body:

Good Morning,
Pls find attached BL draft for your ref,
Kindly check & confirm all the details
are in order,
Thanks & Best Regards

Or

> Subject: Payment

Message Body:

Dear Sir,
Please here i resend the invoice,
please pay today and send us swift.
Regards

Or

> Subject: NEW DHL SHIPMENT FOR DHL - 443887 1183

Message Body:

Dear Sir/Ma,
Our courier company was not able to deliver
your parcel to your address. You may pickup
the parcel at our office personally.
Kindly Open the attached file to view
your shipping label .
Please print this label and show at the nearest DHL office.
Thank you

Or

> Subject: Invoice

Message Body:

Dear Sir,
Please here i resend the invoice and this time
the invoice is in PDF AND ACE format hopefully one of them will open.
please pay today and send us swift.

Or

> Subject: Swift Copy

Message Body:

Dear Sir
Payment already transferred.
Attached herewith TT Copy for your reference.
Thanks & Regards,

Or

> Subject: payment notification

Message Body:

**Greetings
Kindly confirm if our payment has been credited to your account.
Attached is the payment notification from our bank for your reference.
Thank you!
Best Regards & BeWell!
**

Or

> Subject: Segue anexo meu curriculo

Message Body:

Bom dia,
Em resposta ao anuncio publicado em (13/06/2016), venho apresentar minha candidatura,
encaminhando, em anexo, meu curriculo.
Att,

Or

> Subject: Fwd: Tax Payment was Deducted From Your Account

Message Body:

Dear Sir, We Have automatically deducted your tax payment from your Bank Account. Kindly download and view your receipt below attached to this email. Sincerely, Income Tax Department

Or

> Subject: Payment Advice(TT Copy)

Message Body:

**Dear Sir,
Fyi, pls find attached payment copy in accordance with a request
from your customer to complete the payment.Pls confirm urgently.
For further information, please do not hesitate to contact - Client
Service.
Thank You!
Best Regards
**

Or

> Subject: payment notification

Message Body:

Greetings
Kindly confirm if our payment has been credited to your account.
Attached is the payment notification from our bank for your reference.
Thank you!
Best Regards & BeWell!

Or

> Subject: Tax Payment was Deducted From Your Account

Message Body:

Dear Sir,
We Have automatically deducted your tax payment from your Bank Account.
Kindly download and view your receipt below attached to this email.
Sincerely,

Or

> Subject: Vaga de Emprego.

Message Body:

Boa tarde,
Em resposta ao anuncio publicado em (28/06/2016),
tenho interresse em ocupar a vaga de emprego,
encaminhando meu curriculo em anexo.
Att,

Or

> Subject: QUOTATION REQUEST.

Message Body:

Hi,
Can you give us price and delivery (per lot)
for the attached requirement. Your prompt
response would be highly appreciated.
Thanks,

Or

> Subject: PO#2201000741 and Sample Drawing

Message Body:

Dear Customer,
We did not receive your response about our new order we sent to you.
Please find our re attached PO#2201000741 and sample drawing.
Please send us the order confirmation with delivery schedule so we can prepare payment.
Thanks & regards****

Or

> Subject: New Order 201688

Message Body:

Ref: RFQ# 207
Quotation Deadline: 25 August 2016
Dear Sir,
Please provide us your best possible quote for the following items ASAP.
(Note: It is necessary to provide the each quoted product weight along the
quote)
Regards****

Or

> Subject: MV MAERSK FORWARDER - STIGSNAESVAERKETS HAVN-DENMARK

Message Body:

** Dear Sir,
Please be advised our vessel MV MAERSK will call for discharging with ETA
August 11th, 2016.
We hereby nominate your good agent for her discharging.
Here attached vessel stowage plan & vessel particulars for your reference.
Please advise below items.
1. Port congestion status.
2. PDA.
Best regards,******

> ****

Or

> Subject: PURCHASE ORDER****

Message Body:

Hello, Please kindly assist to provide a quote for the following PO_110#2016 Order As Per Sample Attached Below and also advice the availability of the Order and delivery date waiting to hear from you. Thanks & Regards,

Or

> Subject: PROFORMA INVOICE

Message Body:

Dear sir,
Please find attach copy of invoice we prepared for our Orders,
and reconfirm to us before we proceed with the payment
Thanks and waiting for your confirmation
Best regards

Or

> Subject: **Qoutation Oman Seaps **
Message Body:

Good Day Sir ,
Kindly find the attached Qoutations attached.
Should you require any further information/
clarification,please do feel free to contact us.
Best Regards

Or

> Subject: **T.HALK BANKASI A.S. 23.08.2016 Hesap Ekstresi **

Or

> Subject: Ttn Services

Message Body:

I hope everything is going well with you. I sent this Sales Contract
earlier, signed and stamped kindly check and inform me immediately.
Please Find attached …

Or

> Subject: PEDIDO DE COMPRA

Message Body:

Pode me enviar esse orçamento que esta em anexo
o numero 3 e 5,8,9,12 sao urgentes agradeço desde ja
email de retorno para
caso nao funcione o anexo segue o link das planilhas

Or

> ** **

> Subject: NEW DOCUMENT

Message Body:

**Good day,
Please open the the zip to see the new document

**

Or

> Subject: **Signed Invoice & Deposit Slip **
Message Body:

Dear Sir
On Behalf of my colleague presently sick in the hospital,
have had to continue this transaction.
Please find attached the deposit swift
copy and the stamped invoice of the order as agreed.
Please confirm the receipt of invoice and
payment when it arrive your account
Regards

Or

> Subject: Bank Details

Message Body:
**
Hi,
Please can you confirm the attachment bank details for the
payment
Please check and let me know if your bank details attached is ok.
Waiting for your confirmation.
Cheers,**

Cisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Revision History

* Version	Description	Section	Date
31	Updated to report significant activity detected by Cisco Security on September 30, 2016	—	2016-October-03
30	Updated to report significant activity detected by Cisco Security on September 5, 2016	—	2016-September-07
29	Updated to report significant activity detected by Cisco Security on August 30, 2016	—	2016-August-31
28	Updated to report significant activity detected by Cisco Security on August 29, 2016	—	2016-August-30
27	Updated to report significant activity detected by Cisco Security on August 26, 2016.	—	2016-August-29
26	Cisco Security has detected significant activity on August 22, 2016	—	2016-August-26
25	Cisco Security has detected significant activity on August 22, 2016	—	2016-August-22
24	Cisco Security has detected significant activity on August 18, 2016	—	2016-August-19
23	Cisco Security has detected significant activity on August 14, 2016	—	2016-August-15
22	Cisco Security has detected significant activity on August 10, 2016		2016-August-12
21	Cisco Security has detected significant activity on August 10, 2016.		2016-August-11
20	Cisco Security has detected significant activity on August 9, 2016.		2016-August-10
19	Cisco Security has detected significant activity on August 4, 2016.		2016-August-03 12:53 GMT
18	Cisco Security has detected significant activity on August 2, 2016.		2016-August-03 12:53 GMT
17	Cisco Security has detected significant activity on July 12, 2016.		2016-July-14 13:50 GMT
16	Cisco Security has detected significant activity on July 12, 2016.		2016-July-13 14:43 GMT
15	Cisco Security has detected significant activity on July 11, 2016.		2016-July-11 19:48 GMT
14	Cisco Security has detected significant activity on July 7, 2016.		2016-July-08 12:20 GMT
13	Cisco Security has detected significant activity on July 6, 2016.		2016-July-07 12:44 GMT
12	Cisco Security has detected significant activity on July 5, 2016.		2016-July-06 11:49 GMT
11	Cisco Security has detected significant activity on June 29, 2016.		2016-June-30 11:23 GMT
10	Cisco Security has detected significant activity on June 28, 2016.		2016-June-29 12:24 GMT
9	Cisco Security has detected significant activity on June 24, 2016.		2016-June-27 13:35 GMT
8	Cisco Security has detected significant activity on June 23, 2016.		2016-June-24 13:46 GMT
7	Cisco Security has detected significant activity on June 17, 2016.		2016-June-20 11:49 GMT
6	Cisco Security has detected significant activity on June 16, 2016.		2016-June-17 12:32 GMT
5	Cisco Security has detected significant activity on June15, 2016.		2016-June-15 19:25 GMT
4	Cisco Security has detected significant activity on June 9, 2016.		2016-June-13 12:19 GMT
3	Cisco Security has detected significant activity on June 7, 2016.		2016-June-09 12:23 GMT
2	Cisco Security has detected significant activity on June 7, 2016.		2016-June-08 12:33 GMT
1	Cisco Security has detected significant activity on June 5, 2016.		2016-June-06 13:27 GMT
Show Less

---

Legal Disclaimer

• THIS DOCUMENT IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products