That package at the Royal Mail office? It's malware

Filed Under: Malware, Spam

Royal Mail TrojanCybercriminals have spammed out malware, posing as an email from the Royal Mail.

The emails, which claim that a package has been returned to the Royal Mail office, pretend to come from official-sounding addresses such as or

Opening the attached file could lead to your Windows computer being infected by a Trojan horse.

Here's a typical example of what is being spammed out:

Malware attack posing as Royal Mail email

Dear customer.

A courier did not deliver the package to your address.
Reason: The package is too large
Information about your package is attached to the letter.
Read all information carefully and come to the "Royal Mail" office to receive your package.

Thank you for your attention.
Royal Mail Service.

The reason given for non-delivery of the parcel can vary. For instance, the email might claim that your address does not exist, or that the parcel is too large.

Subject lines can vary also. Here are some of the examples we have seen in our traps:

  • Error in the delivery address No30173
  • You should come to the Royal Mail office and receive a package
  • Track your shipment No24127
  • Cancellation of the package delivery
  • Track your parcel No9782
  • A package is available for reception
  • Get your parcel No083
  • Error in the delivery address No40046009
  • Error in the delivery address No0633376
  • You should come to the Royal Mail office and receive a package
  • Delivery Problem
  • Royal Mail Delivery information
  • The dangerous thing, of course, is the attachment. It's a ZIP file that Sophos's anti-virus products intercept as Mal/BredoZp-B and Mal/EnckPK-AAT.

    (If you use a security product from another vendor, here is the MD5 hash which you can use to determine if you are protected: 6bd53a62c768f7ce8663310ed404b89c)

    I have to ask myself - why are people believing these emails are from the Royal Mail in the first place? I mean, how do they think the Royal Mail got hold of their email address?

    Malware attacks posing as messages from parcel delivery companies are nothing new of course - but we're more used to seeing attacks pretending to be from the likes of UPS, FedEx and DHL than the Royal Mail.

    Always think before clicking on unsolicited attachments which arrive unexpectedly in your email. It's an old trick, but the reason why malicious hackers still use it is because it works.

    , ,

    You might like

    3 Responses to That package at the Royal Mail office? It's malware

    1. Yossi · 1413 days ago

      These have been going out for at least a month! Fortunately I've had no complaints to the help desk over needless trips to the Post Office.

      Worth noting that of those mentioned in your blog Royal Mail & FedEx do not use any sender protection framework (SPF) DNS records to protect their name. DHL & UPS on the other hand do. No magic bullet of course but does help sort these kinds of messages out.

    2. marty · 1413 days ago

      i have had a email from bogus royal mail .i was stupid and downloaded a zip file which contains a virus. and its telling me i have got critical hard drive errors and all i have is a black screen. i was actually waiting for a package from royal mail the same day as i got this spam mail.i ran a full scan with viper and it picked up nothing.gonna have to try another anti virus like Norton 360 which i have on my other PC and use Norton power eraser.i thought viper was supposed to be good/ apparently not.

      • JohnnyB · 1411 days ago

        boot in safe mode andrun malwarebytes antimalware & superantispyware, they will sort it out.
        we had 3 machines go down in the office with the same thing.

    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    About the author

    Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley