A forum for reverse engineering, OS internals and malware analysis 

Troj/Phish-BQ

Forum for analysis and discussion about malware.

Troj/Phish-BQ

 #17288  by Xylitol
 Wed Dec 19, 2012 11:01 am
https://www.virustotal.com/file/428140e ... 355913994/
Recevied today via e-mail, js code is obfuscated
Code: Select all
x-store-info:fHNTDlzCF8Nxw6HwcfGQy+S7Ax/lqLSmNphQ3OF+T9E=
Authentication-Results: hotmail.com; spf=none (sender IP is 89.108.70.160) smtp.mailfrom=restrictions@m.paypaI.com; dkim=none header.d=m.paypaI.com; x-hmca=none
X-SID-PRA: restrictions@m.paypaI.com
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MjtHRD0yO1NDTD00
X-Message-Info: 5cuOr7VrmjDmywgYdM3iymC/wdWOfYACab8SZ+UMHKR4iBdVjGV42kmj9g8rwZZ4l96Psdmb8vtXzBb1Zx3Tcg05R7DedxZx9M7JMyNPDYIZYzJvnVty4v1jalpwxN0AO+tpQslFEJqOi9Nuc94e2XRTk2dJYC28
Received: from paypal.com.br ([89.108.70.160]) by SNT0-MC3-F3.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Wed, 19 Dec 2012 01:41:59 -0800
Received-Path: <restrictions@m.paypaI.com>
Received: from activate.adobe.com[127.0.0.1] (helo=User) by
 activate.adobe.com[127.0.0.1] with smtp (QK SMTP Server 3);Wed, 19 Dec 2012
 02:57:20 +0200
Reply-To: <restrictions@m.paypaI.com>
From: "PayPal"<restrictions@m.paypaI.com>
Subject: Identity Issue #E789-3340-A10-8744 Code                                              PQEPVCDESZ
Date: Wed, 19 Dec 2012 02:57:20 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_001B_01C2A75B.2C26110E"
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Bcc:
Return-Path: restrictions@m.paypaI.com
Message-ID: <SNT0-MC3-F3GQ7WuF09007a439d@SNT0-MC3-F3.Snt0.hotmail.com>
X-OriginalArrivalTime: 19 Dec 2012 09:41:59.0458 (UTC) FILETIME=[176BB020:01CDDDCD]

This is a multi-part message in MIME format.

------=_NextPart_000_001B_01C2A75B.2C26110E
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Dear Member, 

Your account has been identified as a safety risk to our service and Terms Of Service. To avoid further collection remedies and problems, please follow and complete the attached form in order to verify your Identity and restore your account to full access. 

Your PayPal account may be limited or locked if you do not comply with these standards accordingly. 

You will not have access to your account if it is limited until you make these changes. 

In order to restore your account to full access: 

1. Download the secure form attached to this email. 
2. Follow the instructions and allow PayPal to gather all the necessary information needed. 
3. Allow up to 4 to 5 business days for your case to be reviewed and completed. 


Please include the email address associated with your PayPal account.


---------------------------------------------------------------- 
PROTECT YOUR PASSWORD 
NEVER give your password to anyone, including PayPal employees. 
---------------------------------------------------------------- 


Copyright © 1999-2012 PayPal. All rights reserved. 
PayPal 
P.O. Box 45950 
Omaha, NE 68145-0950

------=_NextPart_000_001B_01C2A75B.2C26110E
Content-Type: application/octet-stream;
	name="#E789-3340-A10-8744.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="#E789-3340-A10-8744.html"
Attachments
infected
(16.24 KiB) Downloaded 58 times
 Return to “Malware”