• We've upgraded our forums. Please post any issues/requests in this thread.

Security risk: Spam e-mail from "puremobile.com" confirming order! Virus through pdf?

Joined
Mar 1, 2010
Messages
3,565 (1.25/day)
Likes
785
Location
By the Channel Tunnel, Kent, England
System Name Benny
Processor Phenom II 1055t @ 3.3GHz; 300x11; 1.380v; NB 2700; HT 2400
Motherboard ASUS Crosshair IV Formula (2002 BIOS)
Cooling Thermalright TRUE 120 Black + 2 Xilence Red Wing PWM 120mm (push/pull) + polycarbonate fan holders
Memory 8GB GeIL Ultra 2133MHZ C9 running at 1600MHz @ 7-7-7-21 1T 1.5v
Video Card(s) MSI Twin Frozr II GTX470 @ Stock w/CPU fan cable-tied on, as one of the GPU fans broke.
Storage 60GB OCZ Agility3 (OS);500GB WDC Grn; 1x1TB WDC Blk (Backup)
Display(s) ASUS PA823Q
Case Silverstone Raven 2 (all cables custom sleeved with velcro mod on side panel...)
Audio Device(s) X-Fi (Onboard) + Harmon Kardon HK6100 amp powering JVC HA-RX700's with Zalman mic
Power Supply Corsair HX650W
Software Win7 Pro x64
Benchmark Scores No benchies so making this space useful! Corsair M90, Logitech G19. Phobya FlexLight LED's (gawjus)
#1
Hi all. I just got these 2 e-mails in my gmail account:

FROM: coneal@serve.com
TO: fmeg@mailcity.com

Thank you for ordering from Puremobile Inc.

This message is to inform you that your order has been received
and is currently being processed.

Your order reference is 4813.
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card.
Your card will be charged for the amount of 705.00 USD
and "Puremobile Inc." will appear next to the charge on your statement.
Your purchase information appears below in the file.

OrderN25031152.pdf
73K (size)

FROM: {LINE[from_name]} <info@live-servers.net>
TO: {#FIRST_EMAIL}

{SPACES>2<15#MARK}
Thank you for ordering from Puremobile Inc.

This message is to inform you that your order has been received
and is currently being processed.

Your order reference is {DIGITS>4<6#MARK}.
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card.
Your card will be charged for the amount of {INT>400<900#MARK}.00 USD
and "Puremobile Inc." will appear next to the charge on your statement.
Your purchase information appears below in the file.

Puremobile Inc.{SPACES>2<15#MARK}

OrderN25031152.pdf
73K (size)

If anyone gets this e-mail, don't open the pdf file for security reasons.

How likely is it that the PDF file is a virus?
 

erocker

Senior Moderator
Staff member
Joined
Jul 19, 2006
Messages
42,369 (10.18/day)
Likes
18,018
Processor Intel i7 8700k
Motherboard Gigabyte z370 AORUS Gaming 7
Cooling Water
Memory 16gb G.Skill 4000 MHz DDR4
Video Card(s) Evga GTX 1080
Storage 3 x Samsung Evo 850 500GB, 1 x 250GB, 2 x 2TB HDD
Display(s) Nixeus EDG27
Case Thermaltake X5
Power Supply Corsair HX1000i
Mouse Zowie EC1-B
Software Windows 10
#2
Unless I purchased something from a site called "puremobile" I would have no reason to open the email and most definitely not open some attatched file. That's virus protection 101.
 

Black Panther

Senior Moderator™
Staff member
Joined
May 30, 2007
Messages
8,957 (2.33/day)
Likes
2,166
System Name Great White Bengal
Processor i7 930 @ 4Ghz
Motherboard Gigabyte GA-X58A-UD3R
Cooling Scythe Yasya
Memory 12GB (3 x 4GB DDR3 Geil Black Dragon)
Video Card(s) Zotac 670 4GB
Storage eSata Seagate 2TB -- 240GB SSD Sandisk Extreme
Display(s) 27" 2560x1440 Dell U2711
Case NZXT Switch 810 White
Audio Device(s) Onboard sound & Z5500 Speakers
Power Supply Corsair 850W Gold
Mouse Asus ROG Sica
Keyboard Motospeed
Software Windows 10
#4
I got something similar on the work email address. I don't remember the name of the company because it was some months ago. They said I had purchased some shoes costing some €700 and that the amount was debited from my visa. And yup I needed to open some file.

I was nearly 100% sure it was a spam. But to check I went into my internet banking, found that no such debit had been effected from my account, and then deleted the email.

Absolutely do not open files from such emails. If the info troubles you check your internet banking or if not available go to your bank. It's very likely only a scam.
 

brandonwh64

Addicted to Bacon and StarCrunches!!!
Joined
Sep 6, 2009
Messages
19,515 (6.47/day)
Likes
6,936
Location
Chatsworth, GA
System Name The StarCrunch Defender! | X58 Cruncher!
Processor I7 6700K @ STOCK | Intel I7-920
Motherboard Gigabyte Z170X-UD5 | Alienware MS-7543 X58
Cooling Corsair A70 Push/Pull | Corsair H50
Memory Crucial Ballistix DDR4 2400 MHz | Pereema 3x2GB DDR3
Video Card(s) Gigabyte Gaming G1 GTX 1070 | Gigabyte 7970 3GB
Storage 2x Samsung Pro 256GB M.2 SSD's in Raid 0 | 4TB Western Digital SATA drive
Display(s) ViewSonic VG2227wm 1080P | OLD viewsonics
Case NZXT Tempest 410 Elite | NZXT Source 210
Audio Device(s) Onboard
Power Supply Corsair 750TX | Enermax Liberty 500W
Mouse MX518 | MX502
Keyboard TESORO Mechanical | ANZO Mechanical
Software Windows 10 Pro on both
#5
No puremobile exists or it usta exist cause i bought a Motorola V3I with Itunes *Unlocked* back in 2007 so i could use on my deployment to iraq
 
Joined
Mar 1, 2010
Messages
3,565 (1.25/day)
Likes
785
Location
By the Channel Tunnel, Kent, England
System Name Benny
Processor Phenom II 1055t @ 3.3GHz; 300x11; 1.380v; NB 2700; HT 2400
Motherboard ASUS Crosshair IV Formula (2002 BIOS)
Cooling Thermalright TRUE 120 Black + 2 Xilence Red Wing PWM 120mm (push/pull) + polycarbonate fan holders
Memory 8GB GeIL Ultra 2133MHZ C9 running at 1600MHz @ 7-7-7-21 1T 1.5v
Video Card(s) MSI Twin Frozr II GTX470 @ Stock w/CPU fan cable-tied on, as one of the GPU fans broke.
Storage 60GB OCZ Agility3 (OS);500GB WDC Grn; 1x1TB WDC Blk (Backup)
Display(s) ASUS PA823Q
Case Silverstone Raven 2 (all cables custom sleeved with velcro mod on side panel...)
Audio Device(s) X-Fi (Onboard) + Harmon Kardon HK6100 amp powering JVC HA-RX700's with Zalman mic
Power Supply Corsair HX650W
Software Win7 Pro x64
Benchmark Scores No benchies so making this space useful! Corsair M90, Logitech G19. Phobya FlexLight LED's (gawjus)
#6
Unless I purchased something from a site called "puremobile" I would have no reason to open the email and most definitely not open some attatched file. That's virus protection 101.
I always check the contents of the e-mail just to see how bad (laughable) it is. Gmail blocks images etc. by default for me, so I don't have to worry too much about opening the e-mail. Ofc, the attachment stays unopened.
Aah, the good old days when I would just get my laptop out and infect myself for the lulz!

Hi scaminatrix,
I got this e-mail, too and I searched in Google for that firm. The firm does exist, but the mail seems to be spam :mad:
Here's a thread in the Gmail Forum about that: http://www.google.com/support/forum/p/gmail/thread?tid=46552709a01f1cd7&hl=en&fid=46552709a01f1cd700049f53ef9d06c6
And I was so stupid to open the file... Hope I didn't get a virus on my computer... Norton Internet Security 2011 didn't say anything!?
Regards!
Aah man, since you opened the PDF, I suggest you download Malware Bytes Anti-Malware and run a full scan mate.
Personally, I would also ditch Norton and use Avast! free version, but that's down to preference.

I got something similar on the work email address. I don't remember the name of the company because it was some months ago. They said I had purchased some shoes costing some €700 and that the amount was debited from my visa. And yup I needed to open some file.
I was nearly 100% sure it was a spam. But to check I went into my internet banking, found that no such debit had been effected from my account, and then deleted the email.
Absolutely do not open files from such emails. If the info troubles you check your internet banking or if not available go to your bank. It's very likely only a scam.
Yea, first thing I did was check my Paypal, since that's the only thing that's registered to the Gmail account (no online banking, etc).

The thing I'm wondering the most - is it possible to send a virus through a .pdf file?

No puremobile exists or it usta exist cause i bought a Motorola V3I with Itunes *Unlocked* back in 2007 so i could use on my deployment to iraq
Yea, it's still about now.
Here's something interesting:

Received the same 2 emails and opened both pdf's
Pdfs were damaged and contained a list of PayPals

Still waiting for the backlash
http://www.dslreports.com/forum/r25650532-Credit-Card-Fraud-Who-is-Puremobile-

Seems it's an Adobe exploit.
Win32/Pdfjsc is the detection for a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. These files contain a JavaScript that executes when the file is opened.

The embedded JavaScript may contain malicious instructions, such as commands to download and install other malware. Files detected as Exploit:Win32/Pdfjsc may arrive in the system when a user visits a compromised or malicious webpage, or opens a malicious PDF email attachment.
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Pdfjsc
 
Last edited:

od8086

New Member
Joined
Apr 14, 2011
Messages
1 (0.00/day)
Likes
2
Location
hungary
#7
Hi. I'm working in the field of malware analysis, and at the company it was my duty to process these PDF samples. The files are malformed, and there is a malicious exploit too. If anybody is interested, just open the PDF (in a safe environment, VMWare for example), in Acrobat Reader, and when it grows to around 250 MB in the memory, save the whole dump. Search for the string JAAAA, and there will be many hits. That is one part of the injected shellcode (I dont remember the others, at home I didn't have the infected samples :)), and the technique used is called heap spraying (wikipedia, or just google it), that's why it grows in the memory. The essence of this exploitation method is to fill a big array in the memory with shellcode, then use some bug, to crash specific parts of the running program. In this case, there's a possibility of passing the control flow to the machine-code filled array, and voila.. :) In this case, I think it works only under certain versions of Acrobat Reader (and the version of the OS is crucial, too). Maybe before v9.2, I think, but haven't tested yet. Because of many reasons, especially in the case of suscpicious PDF files, don't trust just one AV software - use virustotal.com for example, or open it using google viewer. :)