Trojan Installers

Analysis and Takeapart of a UPS Parcel Shipping Problem Spoof

Member for

10 months 3 weeks
Submitted by AlReaud on Tue, 02/28/2017 - 19:26

At least once a week I get attachments from a “reputable” organization saying my account (that I don't have) has been locked due to suspicious activity being detected, a bank account (that I don't have) needs verification, or there is a problem with the shipment of a parcel (I didn't order). This week I got an interesting one from "Jordan Mccabe, UPS Station Manager". Sadly the sending individual doesn't know enough about the target to realize that "UPS" and "Post Office", well, kind of mismatch. But this one got me interested in doing some reverse engineering of the suspicious attachment because of it's small size, only 817 bytes.

The text of the email is as follows:
Date: 02/26/2017 01:35 AM
From: virtual-user <webmaster@lippocastano.it>
Subject: Parcel #001210497 shipment problem, please review
To: Me
Body:

Dear Customer,
Your item has arrived at the UPS Post Office at February 25, but the courier was unable to deliver parcel to you.
Postal label is enclosed to this e-mail. Please check the attachment!
Yours sincerely,
Jordan Mccabe,
UPS Station Manager.

Attachment: UPS-Parcel-ID-001210497.zip
Attachment Checksum (MD5): 3e01923b9fd179c864bf40caffb21786

Screen capture of UPS Trojan Attachment Email showing highlights.

The highlighted areas indicate areas that commonly give away the fact that it is a spoof. Usually the sender address is strange or wrong, the grammar is wrong, and the context of the message is wrong.

Unzipping the attachments creates a second zip file with a