Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter


Fake French language scan-to-email-style email claims to be from a Xerox in your domain and having an attached pdf.

Attached zip contains an exe virus or trojan horse.

Spoofs recipient domain in From headers.

Subject:  Scan de 0284358 

Scan de 0284358
Format de fichier: PDF MMR(G4)
Resolution: 200dpi x 200dpi

Le fichier joint est une image numerisee au format PDF. Utilisez Acrobat(R)Reader(R)
ou Adobe(R)Reader(R) d'Adobe
Systems Incorporated pour visualiser le document. Il est possible de telecharger
Adobe(R)Reader(R) de l'adresse suivante:
Adobe, le logo Adobe, Acrobat, le logo Adobe PDF et Reader sont des marques
deposees ou des marques commerciales
d'Adobe Systems Incorporated aux Etas-Unis et dans les autres pays. (9)

Some versions mention your domain :

Scan de [recipient domain]
Format de fichier: PDF MMR(G4)
Resolution: 200dpi x 200dpi

Google Translated French to English

Scan 0284358
File Format: PDF MMR (G4)
Resolution: 200dpi x 200dpi

The attached file is a scanned image in PDF format. Use Acrobat (R) Reader (R)
or Adobe (R) Reader (R) Adobe
Systems Incorporated to view the document. It is possible to download
Adobe (R) Reader (R) to the following address:
Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, and Reader are registered
filed or registered trademarks
Adobe Systems Incorporated in the United States and other countries.

Header Examples:

Spoofs recipient domain or your domain in From headers and something random in Envelope.

Received: from XFGAJPOQ ([]
X-Envelope-From: croonkl80
From: "Xerox" <scan @[your domain]>
Subject: Scan de 0670566

Received: from []
X-Envelope-From: livingqsp50
From: "Xerox" <scan @[your domain]>
Subject: Scan de 0284358

Received: from []
X-Envelope-From: regardlesszhzn27
From: "Xerox" <scan @[your domain]>
Subject: Scan de 0084339

Received: from []
X-Envelope-From: uncontrollablyv
From: "Xerox" <scan @[your domain]>
Subject: Scan de [your domain]

Received: from []
X-Envelope-From: rationalizingpu74
From: "Xerox" <scan @[your domain]>
Subject: Scan de 9930377

Received: from []
X-Envelope-From: warwick303
From: "Xerox" <scan @[your domain]>
Subject: Scan de [your domain]

ttachment Samples: containing Scan_002_07032014_001.exe

VirusTotal report 

AntiVir 	TR/Yarwi.A.26 	
Avast Win32:Malware-gen
CMC Packed.Win32.Katusha.3!O
Commtouch W32/Trojan.LNWL-1471
ESET-NOD32 Win32/TrojanDownloader.Waski.A
Ikarus Trojan-Spy.Zbot
Qihoo-360 HEUR/Malware.QVM20.Gen
Rising PE:Malware.XPACK/RDM!5.1 report 

Starts servers listening on,,
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup
Generates some ICMP traffic
HTTP downloads : /images /0703UKp.wix report

Drops: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\true_updater.exe
Binary may include packed or encrypted data
PE sections with suspicious entropy found
Creates guard pages, often used to prevent reverse engineering and debugging

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?