(Solved) Purchase Approved: Thank you for your preference

Viruses and worms
1

We ask that the receipt of the act the boxes are opened and the goods given on the carrier, with any irregularities (lack of goods, breakdowns etc.), immediately report by observation on the back of knowledge, (name of the products and quantities broken) so that appropriate action is taken. I remain at the disposal in the event of doubt.

This email was scanned by Avast antivirus.
hxxps://www.avast.com/antivirus

Dep. Notes
Customer: 18389402

351610030404650001645500100001-nfe.pdf
43 KB

351610030404650001645500100001-nfe.xml
13 KB

https://virustotal.com/en/file/c772d921e5ddbab19a0fa0128012a0a6dd6bf437875fd6afc5709c0b59800e4e/analysis/1478037778/

https://www.virustotal.com/en/file/be4e28ed67c2bf0f6f075aab951386d47a8bb7c1978727e179e9bd9c6574a26b/analysis/1478038162/

https://virustotal.com/en/file/2370f4e3209a14a9553e6c5e2a129eb958d6848688bf8d5cecd940a18a91e3ce/analysis/1478037721/

Cybercapture did nothing absolutely.There was no detection of Avast.

https://sitecheck.sucuri.net/results/elfinwayenviro.com/wp-includes/id3/.tmp/

2

The compressed file, that is being studied (as VT states) has been analyzed here as well:
https://www.reverse.it/sample/2370f4e3209a14a9553e6c5e2a129eb958d6848688bf8d5cecd940a18a91e3ce?environmentId=100
and 4 malicious indicators and 10 suspicious indicators were found.
Seems cloaked and spyware - later more AV came to flag it.
Seems they have stopped the submission so Avast just came too late to the show.

Could be a FP as this has a certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
and is a BobSoft Mini Delphi → BoB / BobSoft which are false detection prone, but I think this here:
https://www.reverse.it/sample/2370f4e3209a14a9553e6c5e2a129eb958d6848688bf8d5cecd940a18a91e3ce?environmentId=100
is malicious.

polonus

3

The email is a spam written below lojaiplace.com.br is to convince be a link that is a legitimate distributor, the files are directed elfinwayenviro.com/wp-includes/id3/.tmp/ to SugarSync and not as the email body message seems to say.

hxxps://www.sugarsync.com/pf/D3223756_874_311064228?directDownload=true

4

SBDOGBUILDER2.exe and 3516100304046235785001645500100001.exe are detected now with Win32: Malware-gen [trj] :slight_smile:

5

URL
https://virustotal.com/en/url/a476c3d4f79f83c5504bae2acc031903b7c22698734eca5b92035783c2ac74bc/analysis/

File
https://virustotal.com/en/file/bc218c067f2b4cae665c20359ff9825acee64135cae17ca9213e1092ebd9687c/analysis/1478115421/

6

Thanks pondus for to mention the links on VT(Vírus total)

SBDO BUILDER 2.exe result current of analysis

https://www.virustotal.com/en/file/be4e28ed67c2bf0f6f075aab951386d47a8bb7c1978727e179e9bd9c6574a26b/analysis/1478117030/

malware was downloaded when you run the file 3516100304046235785001645500100001.exe

7

link of email has changed

hxxps://www.sugarsync.com/pf/D3223756_874_313686765?directDownload=true

03112016.zip

https://www.virustotal.com/en/file/29596b983e66a7984f87eac230f105737982bfc295a86b51026d65ab31473024/analysis/1478306686/

http://i.imgur.com/rMWjvc0.png

Avast detected as FilerepMalware during the run.

8

Redirection changes all the time.This File is not detected by Avast

03112016.vbs

https://www.virustotal.com/en/file/a835a8db0dd6981ab069e4f4694c355d43d0b3d9d51817bc28cb9a96eeaa02bd/analysis/1478480080/