Proof 5819 sent from Brazil (spam and Trojan)

The following is a fake email that simulates including a PDF attachment, supposedly it is a proof of payment:

The attachment is not actually an attachment, just is a link in the body of the message Comprovante_5819.pdf. Passing the pointer – without clicking – you can see its destination, in this case an infected site that starts downloading a Trojan.

Detecting deception can be a simple thing for many, but the fact that the supposed document is a link can go unnoticed and also the text at the end (Ver.asp? DeliveryofDocument = ClientFinal-Proof) plays its role in cheating, it gives the feeling that something important is being delivered.

Now, if the link does not raise suspicions, the executable .exe should do so… this is what is downloaded when you click: Comprovante_5819.pdf.exe

(Virus Total 8/42)

Note the double extension, it is an .exe (executable file) but even if it was really a .pdf it should not open in this context either (unsolicited mail and document), since PDFs are widely used to camouflage malicious codes and infect.

Common sense…

A voucher related to a deposit in a checking account is a temptation, especially when the message is written in Portuguese. Although they are not expecting a deposit or have a checking account, many people will surely download it and try to open it over and over again without having any idea that they are actually infecting their machines.

Thanks Jorge for the delivery.

See also: WikiLeaks.pdf, don't get curious. Spam with false warnings of direct messages on Twitter.