Malware emails with fake cellphone invoice

Published: 2011-03-29
Last Updated: 2011-03-29 23:39:11 UTC
by Daniel Wesemann (Version: 1)
"Thank you for ordering from Cellphone Inc" is what the email says ... what it doesn't say is "have a nice day cleaning your infected PC". Reader Scott had just taken his mobile phone to a store for repair, but being the savvy security specialist, he was still suspicious when he got the following email shortly thereafter

Thank you for ordering from Cell Phone Inc.

This message is to inform you that your order has been received
and is currently being processed.

Your order reference is Cell Phone Inc. You will need this in all correspondence.
This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card. Your card will be charged for the amount
of 629.99 USD and "Cell Phone Inc." will appear next to the charge on your statement.
Your purchase information appears below in the file.

Cell Phone Inc.

Turns out of course that this email had nothing to do with Scott's phone, it is just the latest malware scam. The email comes with a PDF attachment that - at current count - tries to exploit collab.getIcon, media.newPlayer, collab.collectEmailInfo and util.printf -- all rather "old" Adobe Acrobat vulnerabilities, but apparently still "good enough" for the bad guys to warrant a new spam run.

The PDF's guts are obfuscated JavaScript, as usual, and currently showing up with a lousy 2/43 on the Virustotal radar

Keep your users from clicking ... and keep up with those pesky almost-feels-like-weekly Adobe updates!


Keywords: acrobat PDF exploit
So, perfect time from the spammers side.. Did Scott complain about his mobile phone on Social Media? Did he also publish his e-mail address there? Are spammers into datamining?!
What was the Subject line text? Also once infected, are there any known malicious IPs/domains that we can search logs for?
Subject here looked like:

Your Order No 152476 - Cell Phone Inc.
@matsaki, the subject varies by sample, is usually "Your Order No #####, Cell Phone Inc." In the PDF that I analyzed, the subsequent EXE download came from kawabungashop-dot-ru
Sender info

katie at

