Security risk: Spam e-mail from "puremobile.com" confirming order! Virus through pdf?

[scaminatrix]

Hi all. I just got these 2 e-mails in my gmail account:

Spoiler: 1st e-mail

FROM: coneal@serve.com
TO: fmeg@mailcity.com

Thank you for ordering from Puremobile Inc.

This message is to inform you that your order has been received
and is currently being processed.

Your order reference is 4813.
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card.
Your card will be charged for the amount of 705.00 USD
and "Puremobile Inc." will appear next to the charge on your statement.
Your purchase information appears below in the file.

OrderN25031152.pdf
73K (size)

Spoiler: 2nd e-mail

FROM: {LINE[from_name]} <info@live-servers.net>
TO: {#FIRST_EMAIL}

{SPACES>2<15#MARK}
Thank you for ordering from Puremobile Inc.

This message is to inform you that your order has been received
and is currently being processed.

Your order reference is {DIGITS>4<6#MARK}.
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card.
Your card will be charged for the amount of {INT>400<900#MARK}.00 USD
and "Puremobile Inc." will appear next to the charge on your statement.
Your purchase information appears below in the file.

Puremobile Inc.{SPACES>2<15#MARK}

OrderN25031152.pdf
73K (size)

If anyone gets this e-mail, don't open the pdf file for security reasons.

How likely is it that the PDF file is a virus?

 

[erocker]

Unless I purchased something from a site called "puremobile" I would have no reason to open the email and most definitely not open some attatched file. That's virus protection 101.

 

[stefan95p]

*

 

[Black Panther]

I got something similar on the work email address. I don't remember the name of the company because it was some months ago. They said I had purchased some shoes costing some €700 and that the amount was debited from my visa. And yup I needed to open some file.

I was nearly 100% sure it was a spam. But to check I went into my internet banking, found that no such debit had been effected from my account, and then deleted the email.

Absolutely do not open files from such emails. If the info troubles you check your internet banking or if not available go to your bank. It's very likely only a scam.

 

[brandonwh64]

No puremobile exists or it usta exist cause i bought a Motorola V3I with Itunes *Unlocked* back in 2007 so i could use on my deployment to iraq

 

[scaminatrix]

Unless I purchased something from a site called "puremobile" I would have no reason to open the email and most definitely not open some attatched file. That's virus protection 101.

I always check the contents of the e-mail just to see how bad (laughable) it is. Gmail blocks images etc. by default for me, so I don't have to worry too much about opening the e-mail. Ofc, the attachment stays unopened.
Aah, the good old days when I would just get my laptop out and infect myself for the lulz!

Hi scaminatrix,
I got this e-mail, too and I searched in Google for that firm. The firm does exist, but the mail seems to be spam
Here's a thread in the Gmail Forum about that: http://www.google.com/support/forum/p/gmail/thread?tid=46552709a01f1cd7&hl=en&fid=46552709a01f1cd700049f53ef9d06c6
And I was so stupid to open the file... Hope I didn't get a virus on my computer... Norton Internet Security 2011 didn't say anything!?
Regards!

Aah man, since you opened the PDF, I suggest you download Malware Bytes Anti-Malware and run a full scan mate.
Personally, I would also ditch Norton and use Avast! free version, but that's down to preference.

I got something similar on the work email address. I don't remember the name of the company because it was some months ago. They said I had purchased some shoes costing some €700 and that the amount was debited from my visa. And yup I needed to open some file.
I was nearly 100% sure it was a spam. But to check I went into my internet banking, found that no such debit had been effected from my account, and then deleted the email.
Absolutely do not open files from such emails. If the info troubles you check your internet banking or if not available go to your bank. It's very likely only a scam.

Yea, first thing I did was check my Paypal, since that's the only thing that's registered to the Gmail account (no online banking, etc).

The thing I'm wondering the most - is it possible to send a virus through a .pdf file?

No puremobile exists or it usta exist cause i bought a Motorola V3I with Itunes *Unlocked* back in 2007 so i could use on my deployment to iraq

Yea, it's still about now.
Here's something interesting:

Received the same 2 emails and opened both pdf's
Pdfs were damaged and contained a list of PayPals

Still waiting for the backlash

http://www.dslreports.com/forum/r25650532-Credit-Card-Fraud-Who-is-Puremobile-

Seems it's an Adobe exploit.

Win32/Pdfjsc is the detection for a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. These files contain a JavaScript that executes when the file is opened.

The embedded JavaScript may contain malicious instructions, such as commands to download and install other malware. Files detected as Exploit:Win32/Pdfjsc may arrive in the system when a user visits a compromised or malicious webpage, or opens a malicious PDF email attachment.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Pdfjsc

 

[od8086]

Hi. I'm working in the field of malware analysis, and at the company it was my duty to process these PDF samples. The files are malformed, and there is a malicious exploit too. If anybody is interested, just open the PDF (in a safe environment, VMWare for example), in Acrobat Reader, and when it grows to around 250 MB in the memory, save the whole dump. Search for the string JAAAA, and there will be many hits. That is one part of the injected shellcode (I dont remember the others, at home I didn't have the infected samples ), and the technique used is called heap spraying (wikipedia, or just google it), that's why it grows in the memory. The essence of this exploitation method is to fill a big array in the memory with shellcode, then use some bug, to crash specific parts of the running program. In this case, there's a possibility of passing the control flow to the machine-code filled array, and voila.. In this case, I think it works only under certain versions of Acrobat Reader (and the version of the OS is crucial, too). Maybe before v9.2, I think, but haven't tested yet. Because of many reasons, especially in the case of suscpicious PDF files, don't trust just one AV software - use virustotal.com for example, or open it using google viewer.