Analysis of a zero day phishing email

This is my analysis of an email that turned out to be a zero day phishing attack, disguised as a USPS package delivery failure notice, containing an attachment that was a virus.

The email arrived in my Yahoo mail.  At least Yahoo put it in my Spam folder and blocked the attached image.

Yahoo spam phishing email

Unblocking the image, the email looks like this.  The image has a raggedy USPS logo.  The message just is not professional enough to convince me that it is from the United States Postal Service.  This looks bogus.  This looks like phishing.

Yahoo spam phishing email

The message does not look very convincing with its crude layout, odd salutation and closing, odd mix of text colors, mix of lower and upper case text and ragged low resolution logo.  The “To” address was real, but the “From” address looks suspect.  There is nothing personal about the message.  If the delivery really was to me, they would know my name, address and tracking id.

The goal of this email is to get the recipient to open it, then open the attachment.

Examining the email headers shows the real originating IP, I circled it in red, 91.124.107.244.

Yahoo phishing spam email headers

Using arin.net and ripe.net, that IP is owned by UKRTELECOM, Ukraine Telecom in Ukraine.

Yahoo phishing spam email RIPE report

I doubt that the USPS sends email out of the Ukraine so the “From” header is forged.

To test if the attached file is malware, I uploaded it to a web site that analyzes files for potential malware, virustotal.com.  Here is the (partial) report confirming that it is malware.  Microsoft calls the malware TrojanDownloader:Win32/Rimod.A.

Yahoo phishing spam email - virustotal.com report

After this analysis, this email is obviously not from the USPS.  It is a phishing attack.

It originated in the Ukraine, was poorly crafted to look like a USPS package delivery failure notice to entice the user to open the attachment.  The attachment contains malware. The “From” header was forged.

If the user opened the attachment, the malware may have been activated and installed itself on the users computer.  The malware could have allowed remote access to the users PC and remote control of the PC.

It is a zero day attack because the Yahoo virus filter allowed me to download it without warning.  A day later, Yahoo mail would not allow me to download it saying “Virus detected.”  So there was a 24 period when the antivirus software was not detecting it, a period of time when the virus was loose in the wild and antivirus software was not able to detect and prevent it.  That is the definition of zero day.

Yahoo malware spam email virus detected

Be careful of opening email attachments.  Especially be wary of messages that look bogus and are from unexpected sources.  Be careful out there.

Leave a Reply

Your email address will not be published. Required fields are marked *