MalwareBazaar Database

targodev

Recieved via E-Mail, impersonating the current President of the Humboldt-University in Berlin, Germany (including the sender mail). It is written in syntactically perfect german but with a few grammar quirks. Also the content of the message seems strange / somewhat implausible. The mail praises the recipients company with a request to fill out the attached invoice and to offer the best price to the Humbolt-University. Pressure is kept up by asking the recipient to answer within 3 days (recieved 05.10.2021, asked to answer by 08.10.2021).

==== Mail Headers ====
Return-Path: <REDACTED_SENDER_A>
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=62.201.172.24; helo=shout01.mail.de; envelope-from=REDACTED_SENDER_A; receiver=<UNKNOWN>
Authentication-Results: 'REDACTED_A'; dmarc=none (p=none dis=none) header.from=hu-berlin.de
Authentication-Results: REDACTED_A;
dkim=pass (2048-bit key; unprotected) header.d=mail.de header.i=@mail.de header.b="7Mb4dms4";
dkim-atps=neutral
Received: from shout01.mail.de (shout01.mail.de [62.201.172.24])
by REDACTED_A (Postfix) with ESMTPS id 6E1B2981833
for <REDACTED_B>; Tue, 5 Oct 2021 10:53:29 +0200 (CEST)
Received: from postfix01.mail.de (postfix03.bt.mail.de [10.0.121.127])
by shout01.mail.de (Postfix) with ESMTP id 428E01004AA
for <REDACTED_B>; Tue, 5 Oct 2021 10:53:22 +0200 (CEST)
Received: from dovecot05 (dovecot05.bt.mail.de [10.0.121.115])
by postfix01.mail.de (Postfix) with ESMTP id C8937801C2
for <REDACTED_B>; Tue, 5 Oct 2021 10:53:21 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.de;
s=mailde202009; t=1633424001;
bh=ylVrySoj3b+cm744Tk18V7DBIo253h+EDGAFO+u7tVw=;
h=Date:From:To:Subject:Reply-To:From;
b=7Mb4dms44toBNi+ihrViecLlPn520VWqBs896Ew1t7hLAJ+10gAU7MBIEDVEtFCYV
i5JVATE6UzALjBxTvlXwf3nsDBpVnX3qZhw4lMzRGzxJ1rFsqri+ODvoibKC4+WzdL
XXwJRaISkEqFNgi4hDONnQZwRpKFrBR2BpNsFQEMCLGOZTAQnGnKNeqzZgcFxy+GIy
r5Wl/mgGeN4t+72qErfJ7GzCYVRNHQG7C5A44aWOeE7cIUdWmT/GneSCB0hs+5f6LA
awQEzwkBCoiToqhBJaxYzTiW/zPcdCZE87tSiz0qHTHtEnDFbQbl5fSZbtePju6QRp
1X7uqHMX6SsEQ==
X-Sieve: Pigeonhole Sieve 0.4.24.2 (aaba65b7)
X-Sieve-Redirected-From: REDACTED_C
Delivered-To: REDACTED_C
Received: from director03 ([10.0.121.146])
by dovecot05 with LMTP id sBjDCoESXGG8agAAAP82Bw
for <REDACTED_C>; Tue, 05 Oct 2021 10:53:21 +0200
Received: from localhost ([10.0.121.146])
by director03 with LMTP id oOiFCoESXGFcIAAAUyPkog
; Tue, 05 Oct 2021 10:53:21 +0200
X-Original-To: REDACTED_C
Authentication-Results: mxpostfix02.mail.de; spf=none (mailfrom) smtp.mailfrom=hu-berlin.de (client-ip=217.65.97.131; helo=west.ikron.hu; envelope-from=REDACTED_SENDER_A; receiver=<UNKNOWN>)
Authentication-Results: mxpostfix02.mail.de; dmarc=none (p=none dis=none) header.from=hu-berlin.de
Authentication-Results: mxpostfix02.mail.de; dkim=none; dkim-atps=neutral
Received: from west.ikron.hu (expurgate03.bt.mail.de [217.65.97.131])
by mxpostfix02.mail.de (Postfix) with ESMTP id C74338015B
for <REDACTED_C>; Tue, 5 Oct 2021 10:53:20 +0200 (CEST)
Received: from [217.65.97.131] (helo=west.ikron.hu)
by mx03.mail.de with ESMTPS (eXpurgate 4.32.0)
(envelope-from <REDACTED_SENDER_A>)
id 615c1278-6d2c-0a0078cb0019-d9416183e400-3
for <REDACTED_C>; Tue, 05 Oct 2021 10:53:13 +0200
X-Envelope-To: REDACTED_D
[REMOVED_SEVERAL_MORE_X-ENVELOPE_HEADERS]
MIME-Version: 1.0
Date: Tue, 05 Oct 2021 11:52:45 +0300
From: =?UTF-8?Q?Humboldt-Universit=C3=A4t_zu_Berlin?=
<REDACTED_SENDER_A>
To: undisclosed-recipients:;
Subject: =?UTF-8?Q?Angebotsanfrage_=28Humboldt-Universit=C3=A4t_zu_Berlin?=
=?UTF-8?Q?=29_05/10/2021?=
Reply-To: REDACTED_SENDER_A, REDACTED_SENDER_B,
REDACTED_SENDER_C@abv.bg
Message-ID: <10ee08472bcccddd93151369b0147e06@hu-berlin.de>
X-Sender: REDACTED_SENDER_A
Content-Type: multipart/mixed;
boundary="=_35ea40a6443731f915292262d658481c"
X-Virus-Scanned: clamav-milter 0.102.4 at west
X-Virus-Status: Clean
X-purgate-ID: 153031::1633423993-00006D2C-C506565F/7/0
X-purgate-type: dangerous.attachment
X-purgate-size: 444094
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: dangerous
===================

I've redacted personal information because I don't want to dox anyone. REDACTED_SENDER_A and REDACTED_SENDER_B relate to the president of Humboldt-University. REDACTED_SENDER_C is a russian-sounding name. I left in any information about Humboldt-University and its president, which are publically available.

==== Mail Content ====
Humboldt-Universität zu Berlin

Unter den Linden 6, 10117 Berlin, Germany

+49 30 2093-REDACTED

Guten Morgen aus der Humboldt-Universität zu Berlin

Wir haben gute Bemerkungen über Ihr Unternehmen erhalten. Prof. Dr.-Ing.
Dr. Sabine Kunst, Präsidentin der Humboldt-Universität zu Berlin, laden
Sie ein, Ihren kommerziellen Vorschlag für unser Schulbudget 2021
einzureichen (Anlage).
Geben Sie uns so schnell wie möglich die besten Preise. Stellen Sie
sicher, dass Ihr Angebot vor dem 08. Oktober 2021 eintrifft. Wenn wir
Ihr Angebot erhalten haben, besuchen wir Ihr Unternehmen für weitere
Gespräche. Finden Sie den Anhang, lassen Sie es uns sofort wissen, wenn
Sie weitere Informationen benötigen.

Danke und viele Grüße.

Prof. Dr.-Ing. Dr. Sabine Kunst

Präsidentin der Humboldt-Universität zu Berlin

Unter den Linden 6, 10117 Berlin, Germany

Email: REDACTED_SENDER_A

Telefon: +49 30 2093-REDACTED

_______________________________________________________________
Haftungsausschluss! Bitte drucken Sie diese E-Mail nur aus, wenn es
unbedingt erforderlich ist!
Diese Nachricht (einschließlich aller Anhänge) ist Eigentum der
humboldt-universität zu berlin und enthält vertrauliche Informationen,
die für eine Person und einen bestimmten Zweck bestimmt sind und
gesetzlich geschützt sind. Wenn Sie nicht der beabsichtigte Empfänger
sind, müssen Sie diese Nachricht löschen und Sie darüber informieren,
dass jegliche Offenlegung, Vervielfältigung oder Verbreitung dieser
Nachricht sowie jegliche diesbezügliche Handlung strengstens untersagt
ist.

Virenfrei www.avast.com
==================