Thursday, 30 March 2017

More trojans

Date: Thu, 30 Mar 2017 13:43:20
Subject: uk_confirmation_ph134150011.pdf


Confirmation letter enclosed.  Please see attachment.
Actually, it isn't a pdf, it's a zip file containing a zip file that contains an exe file and a txt file requesting me to open the exe file. Well, even if I were running Windows, I'm not going to open the file.

I showed it to Virustotal, and 8 out of 59 products flagged it. It was first seen about an hour ago; that's why so many products don't flag it. But that's how things are these days.

What does it do? I don't know, and don't much care. An exe file pretending to be a pdf file is going to be malicious. My guess is that it's ransomware, because that's the way things are today. Or maybe it zombifies your computer. Or maybe it displays flags of all nations - I don't care enough to spend very many hours analysing the file.

When I send the exe file to VirusTotal, 11 out of 61 products flag it. That means that some products aren't scanning inside zip files (or at least, aren't scanning inside files that have been doubly zipped). That's bad.

If you're depending on an antivirus to protect you from the malware threat, you better make sure that your lucky horseshoe is nailed to your computer.


  1. I received two emails of this type described by Hoax Slayer:
    Several worrying aspects:
    "The criminals may have used information stolen during various data breaches" - I received these to email address ONLY used for online banking submissions to HMRC from Santander bank.
    Gmail did not block these (imported from my private email account) even though both had the dodgy doc files as attachments.
    VirusTotal of the docs had Detection ratio: 0 / 56
    Both had my full name + post address (Rickmansworth) but one of them had the post code of my late mother (300 miles away).

  2. If you send enough mails to enough people, you'll find a few gullible folks who don't have critical thinking amongst their skills.