Germans bombarded in malware attack, shipment firm caught in crossfire forced to suspend email address

Germans bombarded in malware attack, shipment firm caught in crossfire forced to suspend email address

German malwareA particularly vociferous malware campaign has been forcefully spammed out in the last 24 hours, targeting German internet users.

The malicious emails, which have are intercepted by Sophos security products, contain an attachment which pretends to be a PDF file, and claim to come from an air shipment company and use the subject line “Luftfrachsendung AWB”.

Here is an example of a typical email that was intercepted by the team at SophosLabs:

AWB malware


anbei der AWB bitte bestätigen ob alles Ok ist.


Mit freundlichen Grüßen

Attached to the emails is a file called AWB-Avis (the numbers can vary) which carries the malicious payload.

Sophos products detect the attack as the Troj/Agent-AAJO and Troj/Agent-AANK Trojan horse.

Astrid, one of the translators here at Sophos, tells me that the German used in the emails isn’t perfect (which might help raise suspicions) – but here’s a rough translation for non-German speakers:


Please confirm the enclosed AWB is OK.

Thank you

Yours sincerely

What makes the attack stand out from all of the other attacks that we have intercepted in the last few days is its sheer scale, dwarfing all the other malware attacks that SophosLabs has seen sent out via email in recent days.

The shipping company referenced in the email has posted a message on its website saying that it has had to suspend its normal info@ email address because of the sheer number of emails it is receiving, and has offered an alternative address for contact instead.


ATTENTION! Email Spam and Virus warning: Unknown parties are currently sending large quantities of spam emails with the false sender address of The subject line reads "Airfreight shipment AWB". The email has an attachment that is infected with a Trojan!

We therefore advise that if you receive such an email, you delete it without opening. Please do not try to open the attachment!

For this reason, the info@email address has been disabled until further notice. You can contact us in the meantime, using the email address ""

You have to feel some sympathy for an innocent company which has had its business disrupted by a cybercriminal scheme.

Make sure that you are reducing the risk of your computers being infected by malware in an attack like this.

As well as keeping your wits about you, and ensuring that you and your colleagues never open unsolicited attachments, always ensure that all of your computers are running up-to-date anti-virus software.