Fake "Request Approved" Comprafacil Email Contains Link to Malware

Fake Request Approved Comprafacil Email Contains Link to Malware

The email message below with the subject: "Request Approved" or "Pedido Aprovado" is a fake and contains a link to a malware located on Google Docs. The email message was not sent by Comprafacil, although it appeared to have been sent from their email address. Please do not open the email, click on the link, or download the malicious file.

Comprafacil.com or Comprafacil.com .br is one of the top three e-commerce websites in Brazil.

The Fake Comprafacil Email

Subject: Pedido Aprovado
Date: Mon, 24 Jun 2013 01:38:19 -0300
From: Comprafacil @comprafacil.com

Prezado(a) Cliente,

Gostariamos de informar que o debito em seu cartao de credito foi efetuado e o pagamento ja foi confirmado. Sua mercadoria ja esta em transporte.

Lembramos que para facilitar o recebimento, e necessario que haja alguem autorizado no local da entrega.

Previsao de entrega:


Para acompanhar seu pedido, por favor acesse o link abaixo:www.comprafacil.com/pedido.asp?pedido4782=sp?confirmada

Atenciosamente, SAC - www.comprafacil.com

Translated into English:

Subject: request Approved
Date: Mon, 24 Jun 2013 01:38:19 -0300
From: Comprafacil @comprafacil.com

Dear (a) Customer

We would like to inform you that the debit on your credit card and the payment was made has already been confirmed. Their merchandise is already in transit.

Remember that to facilitate the receipt, it is necessary that there be someone authorized on-site delivery.

Prediction of delivery:

To track your order, please visit the link below:


Sincerely, SAC - www.comprafacil.com

Although the link in the email message appears to go to the website www.comprafacil.com at the following location, it does not:

  • http://www.comprafacil.com/pedido.asp? pedido 4782=sp?confirmada

The link actually goes to the web page Cliente.html on the website sustente.org .br, located at the following web address:

  • http://sustente.org .br/clientes/cliente02 /Cliente.html

The Cliente.html web page then downloads the malicious file from the Google Docs website at the following location, where the malicious file is stored:

  • https://docs.google.com/ uc?id=0BzlAOijoJXwTMj VYNy1a WXRHTU0&export=download

The name of the malicious file is "pedido4782=spconfirmada.com".

Do not open this malicious file because you have an antivirus software installed. This is because only seven antivirus software were able to detect this malicious program.

Also, please remember that the name of this malicious file may change.

The following shows the list of antivirus software and the threat they detected when they scanned the file: "pedido4782=spconfirmada.com".

File name: pedido4782=spconfirmada.com
Analysis date: 2013-06-24 10:21:05 UTC


  • AntiVir TR/Symmi.20860.10
  • BitDefender Gen:Variant.Symmi.18194
  • Emsisoft Gen:Variant.Symmi.18194 (B) 20130624
  • F-Secure Gen:Variant.Symmi.18194 20130624
  • GData Gen:Variant.Symmi.18194
  • McAfee-GW-Edition Heuristic.BehavesLike. Win32.Suspicious-BAY.K
  • TrendMicro-HouseCall TROJ_GEN.F47V0624

If you receive the malicious email message, please delete it and warn your friends and family about it.

If you have already downloaded and open this file, please download and install one of the the free version of the antivirus software below:

BitDefender - click here to download

Avira - click here to download

Use the antivirus software to do a full scan of your computer.

Check the comment section below for additional information, share what you know, or ask a question about this article by leaving a comment below. And, to quickly find answers to your questions, use our search Search engine.

Note: Some of the information in samples on this website may have been impersonated or spoofed.

Was this article helpful?  +
Share this with others:
Comments, Questions, Answers, or Reviews
There are no comments as yet, please leave one below or revisit.

To protect your privacy, please remove sensitive or identifiable information from your comments, questions, or reviews. We will use your IP address to display your approximate location to other users when you make a post. That location is not enough to find you.

Your post will be set as anonymous because you are not signed in. An anonymous post cannot be edited or deleted, therefore, review it carefully before posting. Sign-in.

Write Your Comment, Question, Answer, or Review

Fake "Request Approved" Comprafacil Email Contains Link to Malware