2020-08-18 (Tuesday) - Emotet malspam example

2020-08-18 (TUESDAY) - EMOTET MALSPAM EXAMPLE

NOTES: This was, indeed, sent to a gmail account that I created, but the original name has been edited here, changed to alfonzo.nickelton to hide the identity of this account.  Also, felicidad.bateman@outlook.com is another account I control, but the name has been changed to felicidad.bateman to protect the identity of that specific account, too.

Delivered-To: alfonzo.nickelton@gmail.com
Received: by 2002:a0c:f98e:0:0:0:0:0 with SMTP id t14csp294251qvn;
        Tue, 18 Aug 2020 06:22:28 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz5zj6xP3vif44hBEhrSs8k4bAgv+walUkYqQzhUsO14Y/Rf2Z808Wg23VrJI3P/FrbSeHA
X-Received: by 2002:aca:1202:: with SMTP id 2mr12148139ois.79.1597756948818;
        Tue, 18 Aug 2020 06:22:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597756948; cv=none;
        d=google.com; s=arc-20160816;
        b=GotMZYZSToo3oCwqRYyRaxQVQJ2sxS5q3YBkymD5kmGrDizwrSuwG2vBFgLHt3a748
         mVkO1CWPaELOhIjbfuirA+oCQuKosfUeC9oCcpwrACgZiYwK4TvEzjU+Y97kehZm1tNq
         lIIVMaRecFJJ4/6t2hqu9EcDMpUboWezqehjZKQKm/n2Hhup8Y+0od3O//qannlBdy3Y
         nha+1zwSIsLeBzFkeqbeTCMjESig+BFR9j4+SUn/8E0kZvcZGk8QelLpGSI+jacFgECu
         V5j6Sc1YaPlmibYGpQIx7GOSAHNTe2Hrn7GfNgURCWXgN+/5bXaQL6yJPolteSrJBY69
         AZJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:subject:to:from:date
         :dkim-signature:message-id;
        bh=iqQr5Z1a3+g6QLrUi/SnUk0+zDvhHIg6nw/oUROsOpc=;
        b=FJkLTJM+iUhMtNrXOQpLBHhn5e9MHL12jUj4GiRFEp5uEEmHvaJI55ZbbbpqdGnX8Q
         pNpUW/C4+g3r0jVpbu/sLHpZ2GDMc+iHiR9mRLFA7tX+COrPH8t9unOG/4W4yYM2fEkn
         RphtUkp8gdddNIZEduC6f7qHge34w15db3+pgm3L3hWEUEBYePbMslH3mBe5ZFTr+Rc6
         x7jd5Xufnu671xwkdLZjjmtbowdwsruD3Rvcq1bf/Vzpb33V6sABrJddRXfWQGoSBMWg
         gd3qAxPv9HslFYusHbm9/CmMKMe7aXZvVjWc/Of5WGISvMX0lTE0L0Mu0oWrYBAxZuiD
         ZTcA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lusaanlogistics.com header.s=default header.b=CFYYVhly;
       spf=pass (google.com: domain of karla.saavedra@lusaanlogistics.com designates 185.148.128.148 as permitted sender) smtp.mailfrom=karla.saavedra@lusaanlogistics.com;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=lusaanlogistics.com
Return-Path: <karla.saavedra@lusaanlogistics.com>
Received: from server.decidetuweb.com (server.decidetuweb.com. [185.148.128.148])
        by mx.google.com with ESMTPS id c23si11709263otk.181.2020.08.18.06.22.27
        for <alfonzo.nickelton@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 18 Aug 2020 06:22:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of karla.saavedra@lusaanlogistics.com designates 185.148.128.148 as permitted sender) client-ip=185.148.128.148;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lusaanlogistics.com header.s=default header.b=CFYYVhly;
       spf=pass (google.com: domain of karla.saavedra@lusaanlogistics.com designates 185.148.128.148 as permitted sender) smtp.mailfrom=karla.saavedra@lusaanlogistics.com;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=lusaanlogistics.com
Message-ID: <5f3bd613.1c69fb81.cf819.cf8dSMTPIN_ADDED_MISSING@mx.google.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lusaanlogistics.com; s=default; h=Content-Transfer-Encoding:Content-Type:
	MIME-Version:Subject:To:From:Date:Sender:Reply-To:Message-ID:Cc:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
	List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=iqQr5Z1a3+g6QLrUi/SnUk0+zDvhHIg6nw/oUROsOpc=; b=CFYYVhlyufTId2ljSZbE5VZ0ej
	OeZLXA1vi94g/oInpLh37C/M8iWbO5cffaOMWJIEbazgshgF+97zGtDlX5YGpzRpTpE3PmlGsXGHB
	Bj1cATSuCFSYXJ8AhBwrp5mMxbrO2WIn317Uyu7Y1xD7z17iczOrOYf+3aKwzH2sCBE58WChScI3h
	Qcr/q8CcPyLoB12i+TKBfBHHiLymMYK1yBm05Oamxb31sppfQgbT/FDH4gFApFPiQsbWLbHL5W+nn
	gov2BZIcu8ZH0AMq17LYRHBvAGi6r5NNzputkVtq6zn2oxKPiJ0yVeqWi3KqwerPlYIKMPHU52Qe9
	ocPv8ZFg==;
Received: from [189.113.65.98] (port=49646)
	by server.decidetuweb.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.93)
	(envelope-from <karla.saavedra@lusaanlogistics.com>)
	id 1k81ZK-00061a-Dg
	for alfonzo.nickelton@gmail.com; Tue, 18 Aug 2020 09:22:26 -0400
Date: Tue, 18 Aug 2020 10:22:26 -0300
From: "Felicidad Bateman" <karla.saavedra@lusaanlogistics.com>
To: <alfonzo.nickelton@gmail.com>
Subject: Attn: Felicidad Bateman - Invoice attached, please read
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.decidetuweb.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - lusaanlogistics.com
X-Get-Message-Sender-Via: server.decidetuweb.com: authenticated_id: karla.saavedra@lusaanlogistics.com
X-Authenticated-Sender: server.decidetuweb.com: karla.saavedra@lusaanlogistics.com
X-Source:
X-Source-Args:
X-Source-Dir:

=0DMorning,


=0DIt=E2=80=99s a subscription to submit you invoices to us through their s=
ystem and at the same time you get our business, =0Dthen  again I am just a=
ssuming on how system works.

http://abacusnoida.com/js/common_box/corporate_wKF2K_IgF1cAmlWSy/Fxs24mYNy_=
xfrm3N5nx9G81/


Thanks for using Felicidad Bateman!


Felicidad Bateman=0DMain: 582-505.1890   Fax: 582-505.1544=0DEMAIL:felicida=
d.bateman@outlook.com