Payment to <email>
Random order number and purchase amount
Link to Dropbox
The download link goes to variations on https://www.dropbox.com/s/xxx/Invoice_294.PDF.scr?dl=1. The retrieved file for this sample has filename GBWNkgcdZ5GFTcBjE6gXTflu3VPLZDCX3zDEXM4ku35IhUrh5haqM9jidSC4nVkF@dl=1, sha256 b4b0d32c8aba6b319587f0828e607327fcdc763a39af4a0479efd2ec49fba949. VirusTotal finds only 1 of 54 tested AV detect it (as Spyware.Zbot.VXGen).
This is a different subject, hash, and detection from what Malcovery reported yesterday, but is still consistent with the Gameover Zeus botnet.
If you receive this spam, don't click the link.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0YdKwkaDqd5yhujQmptHrQzpywXNPwX0Tz0HioAcXhMrEhNG8gjd3Fkru3vxWvJkESlThzncFoy5cJb-Vi1RTBPiZPgme8UlhB9x4AEeYYdiNvbRd3YVE_R95viq0iD8M-Yik-87rn1Q/s1600/malware_spam.png)