Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake ADP Payroll invoice virus scam email claims to have last weeks invoice attached, but has a virus.

Spoofs ADP domains. Versions with malware in zips, malware PDF files, and malware links.

The actual ADP company would like a copy of these fake emails if you get them. Forward them to This email address is being protected from spambots. You need JavaScript enabled to view it. .


Subject: ADP Payroll Invoice for week ending 05/10/2013

Subject: Invoice

Subject: ADP Past Due Invoice#94855657

 Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided
on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Review your ADP past due invoice here.

Important: Please do not respond to this message. It comes from an unattended mailbox.

Subject: Payroll Invoice

 Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding  this invoice, please contact your 
ADP service team at the number provided on the invoice for assistance.

Thank you for choosing ADP Payroll.

Important: Please do not respond to this message.
It comes from an unattended mailbox.

ADP_inv_#02456266074_051013.zip (133)

Subject: ADP Payroll Invoice

 Your ADP Payroll invoice is attached for your review. If you have any questions regarding  this invoice, please contact your ADP
service team at the number provided on the invoice for assistance.

Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.

invoice_04302014.zip (9)

Subject: Payroll Invoice

 ADP TotalSource

A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.

Year: 13
Week No: 08
Payroll No: 1

Please open attached file to view and check following payrol

This email was generated by an automated notification system.
If you have any questions regarding the invoice or you have misplaced your MyTotalSource login information, please contact
your Payroll Service Representative. Please do not reply to the email directly.
© 2007 Automatic Data Processing, Inc.

invoice.zip (225)

Picture of fake ADP Payrol email with virus.

Subject: ADP Invoice for week ending 08/15/2014 Invoice: 436441890

 Your most recent ADP invoice is attached for your review. If you have any questions regarding this invoice, please contact 
your ADP service team at the number or e-mail address provided on the invoice for assistance.

Thank you for choosing ADP for your business solutions.

Important: Please do not respond to this message. It is generated from an unattended mailbox.

    invoice#436441890.pdf (19)

Headers samples:

Spoofs adp.com in From headers and something random in Envelope. Some versions don't spoof anything useful at all, some pull off a From + Envelope + HELO trifecta!

Received: from 50.97.36.6-static.reverse.softlayer.com [50.97.36.6]
   X-Envelope-From: prickedwjdr7165 @acm.org
   From: "run.payroll.invoice @adp.com" <run.payroll.invoice @adp.com>

Received: from device.lan [41.228.216.63]
X-Envelope-From: AmericanExpress @welcome.aexp.com
From:"Billing.Address.Updates @ADP.com" <Billing.Address.Updates @ADP.com>
Subject: ADP Invoice for week ending 08/15/2014 Invoice: 436441890

Received: from sbhisexch.sbhis.net (sbhisexch.sbhis.net [72.11.243.58] X-Envelope-From: quarterbacksyqa @momix.org From: "ops_invoice @adp.com" <ops_invoice @adp.com>

Received: from ADP.com [173.200.136.10] X-Barracuda-Envelope-From: billing.address.updates @ADP.com From: <billing.address.updates @ADP.com> Subject: ADP Past Due Invoice#51712294

Received: from cable-188-2-208-249.dynamic.sbb.rs [188.2.208.249]
X-Barracuda-Envelope-From: bookendingp06 @praechtiger.com
From: cloutsz3 @scottstanchak.com
Subject: Payroll Invoice

Received: from 216.232.6.186.f.dyn.codetel.net.do [186.6.232.216]
X-Envelope-From: unrestw257 @uymai.net
From: fairsnsf6 @thecoalitionnetwork.com
Subject: Payroll Invoice

Received: from [182.70.132.164]
X-Envelope-From: maintainll @jodidavishomes.com
From: "payroll @adp.com" <twines898 @wiezijnwij.nl>
Subject: Invoice

Malware

12 November 2014

Link to malware download of : invoice1211_pdf52.zip containing invoice1211_pdf.exe ( looks like Upatre )

The malware site will claim to be under construction if you don't use an Internet Explorer user-agent. Links to sites like:

rizambesi.com.au/services/invoice1211.php
santaic8.kilu.de/services/invoice1211.php
dataitaliasrl.eu/docfiles/invoice_1211.php
peterf.com.au/services/invoice1211.php
52232880.fn.freenet-hosting.de/services/invoice1211.php
black-metal-bikes.de/services/invoice1211.php
rigidsteelconduit.com/services/invoice1211.php
lasuruguayas.com/services/invoice1211.php
www.compuhelp.kilu.de/services/invoice1211.php
www.kevinfox.ca/docfiles/invoice_1211.php
www.lockes.kilu.de/services/invoice1211.php
hamburg-homepage.de/services/invoice1211.php
mognoszani.com.br/docfiles/invoice_1211.php
www.bingemann-buerosysteme.de/services/invoice1211.php
lawfoundation.on.ca/docfiles/invoice_1211.php
automationwindow.in/secure_documents/invoice1311_pdf.php
vishop.it/secure_download/invoice1311_pdf.php
eastfallsopen.org/secure_documents/invoice1311_pdf.php
coarch.org/secure_download/invoice1311_pdf.php

VirusTotal report 

AVware 		Win32.Malware!Drop
Avira TR/ATRAPS.A.2000
ESET-NOD32 a variant of Win32/Kryptik.CQDN
Emsisoft Trojan-Downloader.Win32.Agent (A)
McAfee Upatre-FAAH!78CF05FAA79B
McAfee-GW BehavesLike.Win32.Downloader.mm
Norman Upatre.FH
Qihoo-360 HEUR/QVM20.1.Malware.Gen
Sophos Mal/Generic-S

http check in:
188.165.206.208:30096

http download more malware:
projetglory.awardspace.com/fichiers/miniuk1.pmg
shahlart.com/miniuk1.pmg

Malwr.com report 

Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
Steals private information from local Internet browsers
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup

TotalHash report 

20 August 2014

Attachment : invoice#436441890.pdf is a real-life malicious .pdf file.

VirusTotal report | malwaretracker.com report | Contents of the malicious stream object can be found at this pastebin.

30 April 2014

Attachment : invoice_04302014.zip containing invoice_04302014.scr

VirusTotal report | Malwr.com report

7 April 2014

Attachment : invoice.zip containing invoice_7529837592352384_8234892ei.pdf.exe

VirusTotal report | Malwr.com report

17 Oct 2013

Attachment : multiple files and other zips in a zip.

Invoice.zip containing a directory called containing invoice_23898422_93mn.pdf.exe and another zip file Initex.Software.Proxifier.v2.9.Incl.Keymaker-ZWT.zip
 which contains a directory called Initex.Software.Proxifier.v2.9.Incl.Keymaker-ZWT

The Initex.Software.Proxifier.v2.9.Incl.Keymaker-ZWT directory contains zwt.nfo, file_id.diz, and keygen.exe

keygen.exe virustotal report | malwr.com report

invoice_23898422_93mn.pdf.exe virustotal report | invoice_23898422_93mn.pdf.exe malwr.com report

13 May 2013

Attachment : ADP_inv_#02456266074_051013.zip containing ADP_inv_#0(DIGIT[10])_051013.exe

VirusTotal report

15 March 2013

Attachment : inv_#01893838367_03152013.zip containing inv_#0(DIGIT[10])_03152013.exe

VirusTotal report

If this was at least a little helpful, how about a +1, Like, or Tweet?


Your most recent ADP invoice is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number or e-mail address provided on the invoice for assistance.