Friday, 27 November 2015

And a doc file

From: Bruce Sharpe <>

Subject: Aline: Tax Invoice #40525

Good day,

Please find attached Tax Invoice as requested.

Many thanks for your call.

Bruce Sharpe.

A doc file.
SHA1 5836a7ac46981dad66b056ab64f6ecb583fc92c3
SHA256 feb034075eb65662db187dff2e4441740a62609cec23786854acdebeedc903d5 
Virustotal - all 55 products passed it as clean
Metascan - Baidu flagged it, the other 42 passed it as clean
Jotti - Quickheal flagged it, the other 20 passed it as clean
Payload security  - contacts a server, downloads a file, drops a file rudakop.exe. When I google that, lots of results say it's malware.

Antivirus products don't block doc files, because a doc file is a legitimate way to pass documents from place to place. But most documents won't include macros. 
As you can see from the above,  a file that arrived in my inbox (actually, they sent me three copies so far) is malware, and isn't flagged by antivirus products.
My doc file reader doesn't allow macros to run, because I set it that way.

Does yours?

1 comment:

  1. Pleasing to note that Microsoft Word (2010, I doubt later versions differ) defaults to "Disable all macros with notification". You can select to disable them all without notification, although it's not an intuitive option to locate.