That package at the Royal Mail office? It’s malware

Royal Mail TrojanCybercriminals have spammed out malware, posing as an email from the Royal Mail.

The emails, which claim that a package has been returned to the Royal Mail office, pretend to come from official-sounding addresses such as or

Opening the attached file could lead to your Windows computer being infected by a Trojan horse.

Here’s a typical example of what is being spammed out:

Malware attack posing as Royal Mail email

Dear customer.

A courier did not deliver the package to your address.
Reason: The package is too large
Information about your package is attached to the letter.
Read all information carefully and come to the "Royal Mail" office to receive your package.

Thank you for your attention.
Royal Mail Service.

The reason given for non-delivery of the parcel can vary. For instance, the email might claim that your address does not exist, or that the parcel is too large.

Subject lines can vary also. Here are some of the examples we have seen in our traps:

  • Error in the delivery address No30173
  • You should come to the Royal Mail office and receive a package
  • Track your shipment No24127
  • Cancellation of the package delivery
  • Track your parcel No9782
  • A package is available for reception
  • Get your parcel No083
  • Error in the delivery address No40046009
  • Error in the delivery address No0633376
  • You should come to the Royal Mail office and receive a package
  • Delivery Problem
  • Royal Mail Delivery information
  • The dangerous thing, of course, is the attachment. It’s a ZIP file that Sophos’s anti-virus products intercept as Mal/BredoZp-B and Mal/EnckPK-AAT.

    (If you use a security product from another vendor, here is the MD5 hash which you can use to determine if you are protected: 6bd53a62c768f7ce8663310ed404b89c)

    I have to ask myself – why are people believing these emails are from the Royal Mail in the first place? I mean, how do they think the Royal Mail got hold of their email address?

    Malware attacks posing as messages from parcel delivery companies are nothing new of course – but we’re more used to seeing attacks pretending to be from the likes of UPS, FedEx and DHL than the Royal Mail.

    Always think before clicking on unsolicited attachments which arrive unexpectedly in your email. It’s an old trick, but the reason why malicious hackers still use it is because it works.