Delivered-To: <deleted my email>
Received: by 10.152.42.232 with SMTP id r8csp132346lal;
Thu, 6 Nov 2014 17:46:29 -0800 (PST)
X-Received: by 10.60.177.137 with SMTP id cq9mr6766581oec.45.1415324789301;
Thu, 06 Nov 2014 17:46:29 -0800 (PST)
Return-Path: <
info@btcguild.com>
Received: from mailer199.gate191.sl.smtp.com (mailer199.gate191.sl.smtp.com. [192.40.191.199])
by mx.google.com with ESMTP id o7si5212026oeq.82.2014.11.06.17.46.28
for <<deleted my email>>;
Thu, 06 Nov 2014 17:46:29 -0800 (PST)
Received-SPF: fail (google.com: domain of
info@btcguild.com does not designate 192.40.191.199 as permitted sender) client-ip=192.40.191.199;
Authentication-Results: mx.google.com;
spf=hardfail (google.com: domain of
info@btcguild.com does not designate 192.40.191.199 as permitted sender) smtp.mail=info@btcguild.com;
dkim=pass header.i=@smtp.com
Return-Path: <
info@btcguild.com>
X-MSFBL: ZmFybWR2ZUBkYXRhLmJnQDE5Ml80MF8xOTFfMTk5QFNlbmRCbGFzdGVyXzZA
DKIM-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple;
q=dns/txt; i=@smtp.com; t=1415324788;
h=From:Subject:To:Date:MIME-Version:Content-Type;
bh=plsX5zQy9aYdD5e23aDlwEJxNqBaSzoBtRsx9GFVHbE=;
b=o3x8xT5U0YlsVsdhanzQvBxce/cHUr8dRPz3Jggxk6DnPLA56WK2Du4roH+rc7yg
Kmz49XOoKQ5lTHXcClwt6bGb3fCkNCzBeZq7khADDQ0XzHi7Y9ra5N0sw5/RMTF8
uKQyJm/k3JeWp6pP17ixW0EwoUyMsEAN8QmWUhqxelE=;
Received: from [198.72.123.97] ([198.72.123.97:62605] helo=198.72.123.97)
by sl-mta05 (envelope-from <
info@btcguild.com>)
(ecelerity 3.3.2.44647 r(44647)) with ESMTPA
id 67/BD-18760-4742C545; Fri, 07 Nov 2014 01:46:28 +0000
From: "btcguild" <
info@btcguild.com>
Message-ID: <67.BD.18760.4742C545@sl-mta05>
Subject: [btcguild] Invoice Payment (#1232197)
To: "<deleted my username>" <<deleted my email>>
Content-Type: multipart/mixed; boundary="p=_ieZaZiIfXy6SZN2CqvmGQeWLUVhYjEp"
MIME-Version: 1.0
Date: Fri, 7 Nov 2014 01:46:26 +0000
X-SMTPCOM-Tracking-Number: 4fb914cf-9ce4-46fa-9d07-c6a9361144f8
X-SMTPCOM-Sender-ID: 25953
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to
abuse@smtp.comThis is a multi-part message in MIME format
--p=_ieZaZiIfXy6SZN2CqvmGQeWLUVhYjEp
Content-Type: multipart/alternative;
boundary="wy9EpkfQ=_DMTlGVSvYXIbJYUKwRetxGgA"
--wy9EpkfQ=_DMTlGVSvYXIbJYUKwRetxGgA
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=EF=BB=BFInvoice Payment Confirmation
Kind regards.
=20
--wy9EpkfQ=_DMTlGVSvYXIbJYUKwRetxGgA
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=EF=BB=BF<HTML><HEAD></HEAD>
<BODY>
<P><SPAN class=3Dil>Invoice</SPAN> Payment Confirmation</P>
<P> Kind regards.</P>
<P> </P></BODY></HTML>
--wy9EpkfQ=_DMTlGVSvYXIbJYUKwRetxGgA--
--p=_ieZaZiIfXy6SZN2CqvmGQeWLUVhYjEp
Content-Type: application/octet-stream;
name="1232197.jar"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="1232197.jar"
The attached jar file was a Java executable obfuscated by Allatori, likely a wallet stealer, but no deobfuscator could deobfuscate the strings for me to see what happens.