I just received this email ostensibly from business reputation firm Dub & Bradstreet. The fact that I don’t actually have a business at present time didn’t escape me, but the verbiage of the email is compelling, and I can see why someone might inadvisedly click on the attachement

 

 

Email

 

I carefully saved the attachement and went over to VirusTotal and uploaded it there. No suprise, it is malware. See for yourself

https://www.virustotal.com/en/file/d7af52303817627a5708d3bc365499b0ec685aa52f3d698a57b38a40d6728b7e/analysis/

Looking at the headers we see that this was sent from an IP in Mexico, presumably not a sending platform used by D&B

Received: from fixed-189-17-231.iusacell.net (fixed-189-17-231.iusacell.net [187.189.17.231] (may be forged))

 

inetnum: 187.188/15 

status: allocated
aut-num: N/A
owner: Iusacell PCS de Mexico, S.A. de C.V.
ownerid: MX-IPMS2-LACNIC
responsible: Rafel Rodriguez Sanchez
address: Montes Urales, 460, Col. Lomas de Chapultepec
address: 11000 – Mxico – DF
country: MX
phone: +52 55 51095068
owner-c: CHD
tech-c: CHD
abuse-c: CHD
inetrev: 187.188/15
nserver: GWIUSACELL.IUSACELL.COM.MX
nsstat: 20131119 AA
nslastaa: 20131119
created: 20111208
changed: 20120604

 

The From: is alert@dnb.com and D&B has SPF records, but does not publish firm -all assertions which would allow a receiving system to reject such mail with 100% confidence and so we see this result: 

Authentication-Results: iecc.com; spf=softfail

 

dig://dnb.com;debug=0;querytype=TXT

; <<>> DiG 9.8.3-P1 <<>> dnb.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25745
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dnb.com. IN TXT

;; ANSWER SECTION:
dnb.com. 300 IN TXT “v=spf1 mx ip4:68.233.77.18 ip4:72.19.252.170 ip4:202.129.242.64/31 ip4:204.14.232.64/28 ip4:204.14.234.64/28 ip4:96.43.144.64/31 ip4:96.43.148.64/31 ip4:182.50.78.64/28 ip4:220.130.152.173 ip4:204.92.22.200/30 ” “ip4:12.129.29.143 ip4:158.151.208.120/31 ip4:158.151.214.66/31 include:alerts.wallst.com ~all”

;; Query time: 100 msec
;; SERVER: 10.0.1.1#53(10.0.1.1)
;; WHEN: Thu Nov 21 09:07:43 2013
;; MSG SIZE rcvd: 342