Analysis byBrent John Nathaniel de Guzman

Valentine's Day came early for spammers this 2015. We've recently encountered a variety of spammed emails with the keywords 'Valentine's Day' found in different parts of the emails, including its headers and the body itself. A few mentions of 'Valentine's Day' were even found in emails with invisble ink, which at first glance, appears to be an empty email.

This slew of Valentine's Day-themed emails came in different languages such as German and Chinese. Instead of flowers or candy, spammers gifted their recipeints with emails about dating sites, scams, and spam-vertisements (advertisements seen inside spammed emails). Below are sample spammed emails we've seen.

We found 117 unique sender IPs related to this spam run. Most of the spammed emails primarily came from the United States, followed by India, Ukraine, Canada, and the Netherlands.

Valentine's Spam with .ZIP attachment

The screenshot above shows a sample Valentine's Day spam with an attachment named Zahlungsbeleg.zip. This .ZIP file drops the malicious files Zahlungsbeleg.scr, detected as TSPY_URSNIF.XXPV, and DOC_Bewerbung-Februar_2015.doc.exe, which we detec as TSPY_BEBLOH.YYL.

 SPAM BLOCKING DATE / TIME: 03 de lutego de 2015 GMT-8
 TMASE
  • TMASE Engine: :
  • Patrón TMASE: :1300