# Security risk: Spam e-mail from "puremobile.com" confirming order! Virus through pdf?



## scaminatrix (Mar 25, 2011)

Hi all. I just got these 2 e-mails in my gmail account:



Spoiler: 1st e-mail



FROM: coneal@serve.com
TO: fmeg@mailcity.com 



> Thank you for ordering from Puremobile Inc.
> 
> This message is to inform you that your order has been received
> and is currently being processed.
> ...








Spoiler: 2nd e-mail



FROM: {LINE[from_name]} <info@live-servers.net> 
TO: {#FIRST_EMAIL} 



> {SPACES>2<15#MARK}
> Thank you for ordering from Puremobile Inc.
> 
> This message is to inform you that your order has been received
> ...






*If anyone gets this e-mail, don't open the pdf file for security reasons.*

How likely is it that the PDF file is a virus?


----------



## erocker (Mar 25, 2011)

Unless I purchased something from a site called "puremobile" I would have no reason to open the email and most definitely not open some attatched file. That's virus protection 101.


----------



## stefan95p (Mar 25, 2011)

*


----------



## Black Panther (Mar 25, 2011)

I got something similar on the work email address. I don't remember the name of the company because it was some months ago. They said I had purchased some shoes costing some €700 and that the amount was debited from my visa. And yup I needed to open some file.

I was nearly 100% sure it was a spam. But to check I went into my internet banking, found that no such debit had been effected from my account, and then deleted the email.

Absolutely do not open files from such emails. If the info troubles you check your internet banking or if not available go to your bank. It's very likely only a scam.


----------



## brandonwh64 (Mar 25, 2011)

No puremobile exists or it usta exist cause i bought a Motorola V3I with Itunes *Unlocked* back in 2007 so i could use on my deployment to iraq


----------



## scaminatrix (Mar 25, 2011)

erocker said:


> Unless I purchased something from a site called "puremobile" I would have no reason to open the email and most definitely not open some attatched file. That's virus protection 101.



I always check the contents of the e-mail just to see how bad (laughable) it is. Gmail blocks images etc. by default for me, so I don't have to worry too much about opening the e-mail. Ofc, the attachment stays unopened.
Aah, the good old days when I would just get my laptop out and infect myself for the lulz!



stefan95p said:


> Hi scaminatrix,
> I got this e-mail, too and I searched in Google for that firm. The firm does exist, but the mail seems to be spam
> Here's a thread in the Gmail Forum about that: http://www.google.com/support/forum/p/gmail/thread?tid=46552709a01f1cd7&hl=en&fid=46552709a01f1cd700049f53ef9d06c6
> And I was so stupid to open the file... Hope I didn't get a virus on my computer... Norton Internet Security 2011 didn't say anything!?
> Regards!



Aah man, since you opened the PDF, I suggest you download Malware Bytes Anti-Malware and run a full scan mate.
Personally, I would also ditch Norton and use Avast! free version, but that's down to preference.



Black Panther said:


> I got something similar on the work email address. I don't remember the name of the company because it was some months ago. They said I had purchased some shoes costing some €700 and that the amount was debited from my visa. And yup I needed to open some file.
> I was nearly 100% sure it was a spam. But to check I went into my internet banking, found that no such debit had been effected from my account, and then deleted the email.
> Absolutely do not open files from such emails. If the info troubles you check your internet banking or if not available go to your bank. It's very likely only a scam.



Yea, first thing I did was check my Paypal, since that's the only thing that's registered to the Gmail account (no online banking, etc).

The thing I'm wondering the most - is it possible to send a virus through a .pdf file?



brandonwh64 said:


> No puremobile exists or it usta exist cause i bought a Motorola V3I with Itunes *Unlocked* back in 2007 so i could use on my deployment to iraq



Yea, it's still about now.
Here's something interesting:



> Received the same 2 emails and opened both pdf's
> Pdfs were damaged and contained a list of PayPals
> 
> Still waiting for the backlash



http://www.dslreports.com/forum/r25650532-Credit-Card-Fraud-Who-is-Puremobile-

Seems it's an Adobe exploit.


> Win32/Pdfjsc is the detection for a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. These files contain a JavaScript that executes when the file is opened.
> 
> The embedded JavaScript may contain malicious instructions, such as commands to download and install other malware. Files detected as Exploit:Win32/Pdfjsc may arrive in the system when a user visits a compromised or malicious webpage, or opens a malicious PDF email attachment.



http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Pdfjsc


----------



## od8086 (Apr 15, 2011)

Hi. I'm working in the field of malware analysis, and at the company it was my duty to process these PDF samples. The files are malformed, and there is a malicious exploit too. If anybody is interested, just open the PDF (in a safe environment, VMWare for example), in Acrobat Reader, and when it grows to around 250 MB in the memory, save the whole dump. Search for the string JAAAA, and there will be many hits. That is one part of the injected shellcode (I dont remember the others, at home I didn't have the infected samples ), and the technique used is called heap spraying (wikipedia, or just google it), that's why it grows in the memory. The essence of this exploitation method is to fill a big array in the memory with shellcode, then use some bug, to crash specific parts of the running program. In this case, there's a possibility of passing the control flow to the machine-code filled array, and voila..  In this case, I think it works only under certain versions of Acrobat Reader (and the version of the OS is crucial, too). Maybe before v9.2, I think, but haven't tested yet. Because of many reasons, especially in the case of suscpicious PDF files, don't trust just one AV software - use virustotal.com for example, or open it using google viewer.


----------

