At least once a week I get attachments from a “reputable” organization saying my account (that I don't have) has been locked due to suspicious activity being detected, a bank account (that I don't have) needs verification, or there is a problem with the shipment of a parcel (I didn't order). This week I got an interesting one from "Jordan Mccabe, UPS Station Manager". Sadly the sending individual doesn't know enough about the target to realize that "UPS" and "Post Office", well, kind of mismatch. But this one got me interested in doing some reverse engineering of the suspicious attachment because of it's small size, only 817 bytes.
The text of the email is as follows:
Date: 02/26/2017 01:35 AM
From: virtual-user <firstname.lastname@example.org>
Subject: Parcel #001210497 shipment problem, please review
Dear Customer, Your item has arrived at the UPS Post Office at February 25, but the courier was unable to deliver parcel to you. Postal label is enclosed to this e-mail. Please check the attachment! Yours sincerely, Jordan Mccabe, UPS Station Manager.
Attachment Checksum (MD5): 3e01923b9fd179c864bf40caffb21786
The highlighted areas indicate areas that commonly give away the fact that it is a spoof. Usually the sender address is strange or wrong, the grammar is wrong, and the context of the message is wrong.
Unzipping the attachments creates a second zip file with a