Another day and another fake DHL message leading to an evil .js script.
From: DHL Parcel UK [redacted]
Sent: 02 May 2017 09:30
Subject: DHL Shipment 458878382814 Delivered
You can track this order by clicking on the following link:
Please do not respond to this message. This email was sent from an unattended mailbox. This report was generated at approximately 08:15 am CDT on 02/05/2017.
All weights are estimated.
The shipment is scheduled for delivery on or before the scheduled delivery displayed above. DHL does not determine money-back guarantee or delay claim requests based on the scheduled delivery. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL customer support representative.
This tracking update has been sent to you by DHL on behalf of the Requestor [redacted]. DHL does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor’s message, or the accuracy of this tracking update.
Standard transit is the date the package should be delivered by, based on the selected service, destination, and ship date. Limitations and exceptions may apply. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL Customer Support representative.
In this case the link goes to
and downloads a file
the script downloads a binary from
184.108.40.206 – UK2, UK
) and then subsequently attempts communication with
220.127.116.11 (AT&T, US)
18.104.22.168 (XL Internet Services, Netherlands)
22.214.171.124 (1&1, Germany)
126.96.36.199 (Mediaforge, Germany)
188.8.131.52 (dogado GmbH, Germany)
184.108.40.206 (Host Europe, Germany)
220.127.116.11 (RimuHosting, US)
The dropped binary has a VirusTotal detection rate of
Source: Dynamoo’s Blog @ May 2, 2017 at 05:24AM