Fake DHL mail with unknown keylogger attached

[German]A short warning at the begin of this week. There are probably phishing mails with alleged DHL senders in circulation that have an unknown keylogger attached.


I became aware of this topic via a tweet on a British website. Since DHL is mentioned as the sender.

The fake e-mail allegedly comes from the US branch of the DHL courier service and has the following content

From:  DHL EXPRESS mail[.]us[at]dhlcourier]us
Date:  Sun 08/09/2019 02:37
Attachment: DHL_FORM.doc
Body content:

Dear Customer,

We tried to deliver your item to your address this morning 7th September, 2019. (See the attached file) .

The delivery attempt was unsuccessful because no one was present at the delivery address given to us, so the notification is automatically sent.

If the parcel is not scheduled for re-projection or receipt within 72 hours on weekdays, it will be returned to the sender.

Tag number: DB0011622801 / 17BA

Expected delivery date: September 7th, 2019

Packet Services

Agency (s): Delivery Confirmation
Status: Mission sent
Sender: Macy's Department Store Company
Your package has not been delivered.
Delivery Time: 08:57 AM
Number of Packages: 1
Weight: 5.0 LBS

Dear Customer

See attached form and correct your address.
We apologize and thank you for your confidence.

Thank you,

Customer Service DHL.
2019 © DHL International GmbH. All rights reserved.

One of the usual notifications when you miss a shipment delivery? Recipients should note that an attachment asks them to correct the address using a form. Here is the screenshot of the mail: 

Phishing-Mail (DHL)
(DHL phishing mail, Source: myonlinesecurity.co.uk, Click to zoom)


All alleged senders, companies, employee names, telephone numbers, quantities, reference numbers, etc. mentioned in the e-mails have been randomly selected. The sole purpose is to establish trustworthiness and to induce the user to download the attached .doc or .xls file. The Word or Excel files are provided with a macro script or embedded OLE object that infects the user on execution.

This  website has some more details here. The malware is downloaded from https[://]heritagebank[.ga]/Quotation[.}exe. The website is delivered via Cloudflare. It is probably the root URL for a real bank that has mutated into a phishing site. The .exe file contains a keylogger for Windows.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *