Fake "Request Approved" Comprafacil Email Contains Link to Malware

Fake Request Approved Comprafacil Email Contains Link to Malware

Would you share this Article with others?  +

The email message below with the subject: "Request Approved" or "Pedido Aprovado" is a fake and contains a link to a malware located on Google Docs. The email message was not sent by Comprafacil, although it appeared to have been sent from their email address. Please do not open the email, click on the link, or download the malicious file.

Comprafacil.com or Comprafacil.com .br is one of the top three e-commerce websites in Brazil.

The Fake Comprafacil Email

Subject: Pedido Aprovado
Date: Mon, 24 Jun 2013 01:38:19 -0300
From: Comprafacil @comprafacil.com

Prezado(a) Cliente,

Gostariamos de informar que o debito em seu cartao de credito foi efetuado e o pagamento ja foi confirmado. Sua mercadoria ja esta em transporte.

Lembramos que para facilitar o recebimento, e necessario que haja alguem autorizado no local da entrega.

Previsao de entrega:


Para acompanhar seu pedido, por favor acesse o link abaixo:www.comprafacil.com/pedido.asp?pedido4782=sp?confirmada

Atenciosamente, SAC - www.comprafacil.com

Translated into English:

Subject: request Approved
Date: Mon, 24 Jun 2013 01:38:19 -0300
From: Comprafacil @comprafacil.com

Dear (a) Customer

We would like to inform you that the debit on your credit card and the payment was made has already been confirmed. Their merchandise is already in transit.

Remember that to facilitate the receipt, it is necessary that there be someone authorized on-site delivery.

Prediction of delivery:

To track your order, please visit the link below:


Sincerely, SAC - www.comprafacil.com

Although the link in the email message appears to go to the website www.comprafacil.com at the following location, it does not:

  • http://www.comprafacil.com/pedido.asp? pedido 4782=sp?confirmada

The link actually goes to the web page Cliente.html on the website sustente.org .br, located at the following web address:

  • http://sustente.org .br/clientes/cliente02 /Cliente.html

The Cliente.html web page then downloads the malicious file from the Google Docs website at the following location, where the malicious file is stored:

  • https://docs.google.com/ uc?id=0BzlAOijoJXwTMj VYNy1a WXRHTU0&export=download

The name of the malicious file is "pedido4782=spconfirmada.com".

Do not open this malicious file because you have an antivirus software installed. This is because only seven antivirus software were able to detect this malicious program.

Also, please remember that the name of this malicious file may change.

The following shows the list of antivirus software and the threat they detected when they scanned the file: "pedido4782=spconfirmada.com".

File name: pedido4782=spconfirmada.com
Analysis date: 2013-06-24 10:21:05 UTC


  • AntiVir TR/Symmi.20860.10
  • BitDefender Gen:Variant.Symmi.18194
  • Emsisoft Gen:Variant.Symmi.18194 (B) 20130624
  • F-Secure Gen:Variant.Symmi.18194 20130624
  • GData Gen:Variant.Symmi.18194
  • McAfee-GW-Edition Heuristic.BehavesLike. Win32.Suspicious-BAY.K
  • TrendMicro-HouseCall TROJ_GEN.F47V0624

If you receive the malicious email message, please delete it and warn your friends and family about it.

If you have already downloaded and open this file, please download and install one of the the free version of the antivirus software below:

BitDefender - click here to download

Avira - click here to download

Use the antivirus software to do a full scan of your computer.

Note: Some of the names, addresses, email addresses, telephone numbers or other information in samples on this website may have been impersonated or spoofed.

Check the comment section below for additional information and share what you know or ask a question about this article by leaving a comment below.

Remember to forward suspicious, malicious, or phishing email messages to us at the following email address: info@onlinethreatalerts.com. And, report missing persons, scams, untrustworthy, or fraudulent websites to us. Tell us why you consider the websites untrustworthy or fraudulent. Also, to quickly find answers to your questions, use our search engine.

You can help maintain Online Threat Alerts (OTA) by paying a service fee. Click here to make payment.

Comments, Questions, Answers, or Reviews

There are no comments as yet, please leave one below or revisit.

To help protect your privacy, please do not post or remove, your full name, telephone number, email address, username, password, account number, credit card information, home address or other sensitive information in or from your comments, questions, or reviews. Also, remember to keep comments, reviews, answers respectful.

Write Your Comment, Question, Answer, or Review

Write your comment, question, answer, or review in the box below to share what you know or to get answers. NB: We will use your IP address to display your approximate location to other users.

Your comment, question, answer, or review will be posted as an anonymous user because you are not signed in. Anonymous posts cannot be edited or deleted. Sign-in.

Keep your comment respectful or it will not be posted.

Fake "Request Approved" Comprafacil Email Contains Link to Malware