Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter


Fake FedEx virus spam email claims the courier was unable to deliver your parcel and a shipment label is attached.

Attached zip contains a malicious javascript file to download several kinds of malware .

Subject: [your name], Delivery Notification, ID 000198889 

 FedEx ® 
Dear [ your name ],

Courier was unable to deliver the parcel to you.
Shipment Label is attached to this email.

Jerome Hall,
FedEx Station Manager.
(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws. All rights reserved. (4)
Picutre of fake Fedex email with malicious js in zip attachment.

Header Examples:

The display name is made to look like FedEx, but the headers aren't spoofing anything useful.

Received: from []
X-Envelope-From: webmaster
From: "FedEx SmartPost" <support>
Subject: [your name], Delivery Notification, ID 000198889


16 December 2014 

Attachment : containing Label_000198889.doc.js 

VirusTotal report 

Avast 		JS:Agent-DHL [Trj]
Kaspersky Trojan-Downloader.JS.Agent.hch
McAfee JS/Downloader-BNW
Sophos Troj/JSDldr-V

The javascript file, original and deobfuscated can be seen at this pastebin. But basically it downloads 3 executables: gives 121.jpg gives 4887.jpg gives 5281.jpg

I had to use an Internet Explorer user-agent to get the malware. And the files were win32 portable executables but named as .jpg's. The javscript file would rename then to .exe's and put them in a temp folder.

Downloaded executable : 121.jpg / 121.exe

VirusTotal report 

AhnLab-V3 	Trojan/Win32.XPack
Avira TR/FakeRean.A.54
Bkav HW32.Packed.72E8
ESET-NOD32 Win32/Adware.XPAntiSpyware.AH
Qihoo-360 Malware.QVM19.Gen

Developer metadata
Copyright Copyright EmiSoft Company
Publisher EmiSoft
File version 1.1.0
Description Google Company

qcgce2mrvjq91kk1e7pnbb19m52fx1956jc03il0h report 

Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Steals private information from local Internet browsers
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup


Downloaded executable : 4887.jpg / 4887.exe ( makes me think zemot -> rerdom )

VirusTotal report 

0 score on VT

Number of PE resources by language

Performs some HTTP requests


Downloaded executable : 5281.jpg / 5281.exe

VirusTotal report 

AVware 			Trojan.Win32.Kryptik.cpvt (v)
Ad-Aware Trojan.GenericKD.2029888
Avira TR/Abandrot.A.6
BitDefender Trojan.GenericKD.2029888
ESET-NOD32 Win32/Fleercivet.AA
Fortinet W32/AGENT.UQZ!tr
GData Trojan.GenericKD.2029888
Malwarebytes Trojan.Krypt
McAfee Artemis!876781A487F2
VIPRE Trojan.Win32.Kryptik.cpvt (v)

Authenticode signature block
Publisher LTD VAL
Signature verification Signed file, verified signature
[+] COMODO Code Signing CA 2
[+] UTN-USERFirst-Object
[+] USERTrust report 

Mutex :  _HSJ909NJJNJ90203_

So this one was flagged as Fleervicet by NOD32. Kimberly from once mentioned that Fleervicet was an ad-fraud clickbot. The mutex matches this Microsoft article on Win64/Fleercivet.B.

If this was at least a little helpful, how about a +1, Like, or Tweet?