Phishing for Amazon Renewal - Attached PDFs

GL5280
GL5280
in Submit suspicious files and urls to bitdefender labs

Bitdefender needs to get better at this type of scan.

An email to me, containing a PDF titled "Update Payment". The link in the PDF leads to: https://t.umblr.com/redirect?z=https%3A%2F%2Fsemuaakansepertisediakala.com%2F%3FSHUJigndwup&t=ZTVlOGExYzJhMzExZGNhMTZiNTNkOTAyNzBmYTQ2M2YzNDRkYjcxYiw5ODZjMTRiZTU2Yjg0NmE1ODM4OTVjYjE1NTQzYzk3YmU4OTY5YzVm

Multiple engines flagged this as phishing/trojans, but BitDefender let it thru. Also, it didn't find anything wrong with it when I saved it to disk and performed a manual scan.

The mail header was a complete mess as well.

==============================================

X-Eon-Dm: m0116959.ppops.net

Return-Path: <noreply.terimakasihataspemeberiannya8639245@indomiegoreng0002.com>

Received: from mail-lj1-f193.google.com (mail-lj1-f193.google.com [209.85.208.193])

   by m0116959.mta.everyone.net (EON-INBOUND) with ESMTP id m0116959.5ef25225.548f61

   for <myemail@here.com; Tue, 30 Jun 2020 11:37:18 -0700

Received: by mail-lj1-f193.google.com with SMTP id d17so9092301ljl.3

       for <amazon@gl-us.net>; Tue, 30 Jun 2020 11:37:18 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

       d=indomiegoreng0002-com.20150623.gappssmtp.com; s=20150623;

       h=mime-version:from:date:message-id:subject:to;

       bh=1y+knzV+UeTzRjYoZ6CWrX5UI3X6HlSU2otoII40h7Y=;

       b=zexPQMlJsqRbxgFosAylE2EAAkSip+V/qc8dIUh0scPc37NsnsJKl5Xb5tNGNA4HRc

        hfrphPLdEglmSKHus+OOvDPNUvU+0RE4dxnJArg+z6ovi8q815Ez+lhSBu+vTFY5Z04E

        vqsgpbCqkx8IytIalwdxrAjxvL1zjuLu4qE6o+a/GwQLP7zv9jjUYbDCNv06BZZqlCXq

        2ufwRHaFzn94dNhc+eLsnAT5z3xFfFyp4Pf/y4rNKsmJPwt5xPm9iPIesPJfCO3iIsqO

        exc3oJWskEv5zJ0uNxT7x/nR08Eupn3hUjrEz0yeKXIywoUXjOc3eQkr17QDLIWwCtlw

        UbIg==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

       d=1e100.net; s=20161025;

       h=x-gm-message-state:mime-version:from:date:message-id:subject:to;

       bh=1y+knzV+UeTzRjYoZ6CWrX5UI3X6HlSU2otoII40h7Y=;

       b=k/NmtE7U8WDIgy+XiOMb5QzSi3E30dThLD6kjr1IPEuuYGy69dRSHIE0W7T6S0t7ks

        ZgqT10MUWI4F8yCSGgCW5AY6YuKYnrLk7A8xb2UkZZ4qrgaY14Ev9SpqqtUPP6XD//b6

        IXNrmaLwqKpqULMmpowfGCMcEzj1GpFRryctI/WQ6Z38vNbxRZtYcrU28eodItSRpMhV

        2xWmgiiql7Zt2jO6NwZndLXyaPmO6eW94TINjcebZXcSOHPpT+CxWQw2AtvqOCRbjsbf

        4CYGDBXNmrJHI4KJgAwfa8pbjXExtyfsL6mH5snPCNqSoAEdJHt3ZzAOE9KzKy9oisIs

        1BmQ==

X-Gm-Message-State: AOAM532pm+11xL2OxgM89RBjKrKGqGgKclwzCMLcljkt/4NWM06lz4qn

   pbhII6gSM8sBZ4If1S/M3WGlT51IPAJ1f9ifgTa/1A==

X-Google-Smtp-Source: ABdhPJxaGik9LDBcXFi2JmcUnLFnLQTJZqBVqWXt69X4DnVOkulZd8wu21XrOXHEO38xHvIiJ8CbBA7LXV2DgTMrs4A=

X-Received: by 2002:a2e:9e88:: with SMTP id f8mr10800585ljk.193.1593542234313;

 Tue, 30 Jun 2020 11:37:14 -0700 (PDT)

MIME-Version: 1.0

From: Amazon Prime <noreply.terimakasihataspemeberiannya8639245@indomiegoreng0002.com>

Date: Tue, 30 Jun 2020 11:36:59 -0700

Message-ID: <CA+EiWncA-aOxcsAC_tH71i6kM2+qdy2Q4p2_hvO++rapEi_7CA@mail.gmail.com>

Subject: =?UTF-8?Q?=E2=9A=A0=EF=B8=8FRe_=3A_Action_required_=2D_Please_verify_or_update?=

 =?UTF-8?Q?_your_payment_information_=23117=2D477=2D8397=2D_00=3A35=3A45_=2B0034_=28GMT?=

 =?UTF-8?Q?=29?=

To: update5512@service-amazon.com

Content-Type: multipart/mixed; boundary="000000000000cff12105a951767f"

X-Eon-Alias-Sig: AQO7DMVe+4ZhnlOFZwEAAAAB,cdb124186f4fcb6bd22be343c9c411eb

X-BitdefenderWKS-SpamStamp: Build: [Engines: 2.15.12.1318, Stamp: 3],

 Multi: [Enabled, t: (0.000006,0.011992)], BW: [Enabled, t:

 (0.000017)], RTDA: [Enabled, t: (0.066312), Hit: No, Details:

 v2.7.113; Id: 12.1i622bd.1ec51op39.j177], total: 0(775)

X-BitdefenderWKS-Spam: No - 0

Comments

  • GL5280
    GL5280

  • Flexx
    Flexx mod

    @GL5280

    1) No av vendor can detect all malicious files.

    2) The link you provided does not open or downloads anything.

    3) You stated many vendors detect the link, but when the link is checked over virustotal only eaet detects it.

    4) If you find any sample/ link not detected by bitdefender, kindly share it with malware research team directly via online forum (https://www.bitdefender.com/submit/) .If the stuff is malicious, detection will be added in maximum of 72 hours. If even after 72 hours the stuff is not detected, it is not considered as malicious by research team.


    If this helps, kindly mark answer as agree/ accepted

    Regards

    Flex

    (Bitdefender beta tester 2019/ 2020)

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

All Time Leaders

Categories

Defenders of the month