Clever Malware containing e-mail

The following is the content of an e-mail I received at work, which is cleverly written like a formal letter. The attachment contains a ‘.scr’ file inside, which is an executable and therefore very certainly Malware.

From: Patrick Ludveen <>
Subject: Telephone call inquiry
Received: Thursday 29/01/2015 23:09

Dear Sir/Ma

I called and spoke with someone in your office last week concerning my inquiries and request. He promised to get back to me by email and telephone. I clearly spelt out my email address and telephone numbers to him to avoid mistakes. I am shocked that he has not deemed it important to either email me or call me back as promised. I am disappointed. This is not a good business practice and should not be tolerated in any organization

We are one of the largest dealers of your products in my country and I am hoping we can work together as your sole representative here in my country. I am aware that this depends on the volume of the orders that we place each year. I am hopeful we can discuss and negotiate further. We are willing to doing whatever is appropriate for us to become your sole representative here.

I will like to visit your company/factory next month and would like to know if this is possible and that you schedule an appointment for me. As you must be aware, factory visits are an essential part of safe product sourcing. A factory visit, audit or inspection is my chance as a buyer to see your production facility and gain much deeper insight into your company. It is also important to confirm that your factory is really capable of the quality of products and output volume it claims to have.

I need to know if you have this product in this attached picture? if you do not, can you manufacture them for us? What will be the lead time?

I believe this is the beginning of a good partnership for the mutual benefit of both companies. Your urgent response would be appreciated.

Any questions, do not hesitate to ask.

Yours truly,
Patrick Ludveen
Pacomeubelen Netherland B.V
Amerikastraat 17 3232 BE 's-Hertogenbosch
Phone +31 (0)73 645 82 11
Fax +31 (0)73 645 82 15

I would say that a couple of salespeople here would open that picture.

What I suspect is that the ones behind this got access to some corporate e-mail accounts (e.g. phishing) and are collecting inquiry and sample request e-mails like this to make the Malware containing e-mails look more legitimate looking.

For example, in the above e-mail, I reckon this was an actual e-mail some company received, but with the lines “Dear Sir/Ma” and “I need to know if you have this product in this attached picture?..” added, as these are the only two I notice typos in. The footer contact details appear to be made up, which I checked before posting the above.

The other thing I found interesting is that a Google search on a few phrases did not turn up anything, so they are using fresh content in their scams, at least this one anyway. With just about every other scam e-mail I received, I would get lots of similar samples published if I search for a random phrase in the e-mail.

The Zip attachment was also one of the largest I’ve seen in such an e-mail at roughly 800KB from what I recall, probably because it has the full Malware package in the attachment. Most infected attachments usually contain an executable file of between 10KB and 20KB, which download the Malware when launched. Then again, this is probably done to avoid the risk of a Firewall blocking the download of the full Malware package with the tiny download-dropper infections.

Remember that guy who got some millions that way onto his bank account…?

Hehe, i can relate to that :slight_smile:

I just saved a customer from CBT (Cryptolocker 2.0). He clicked on a very sophisticated email that looked like he was about to have some serious issues with the government.

Thank the gods for well documented backup procedures and user account settings. :slight_smile: