Tuesday 24 November 2015

More malware analyses

Aryeh Goretsky, who I've know for a long long time, is currently at Eset (they make anti-malware software) suggested to me a couple of places other than VirusTotal to try, so I did.

Dear customer

The confirmation invoice for order 1366976 is attached.

Please let me know if you need any other paperwork.

Best regards,

Nimisha Patel
Marketing Assistant
Abcam plc

Enclosed was an XLS spreadsheet. I'm pretty sure it's malware, I haven't ever bought anything from Abcam. The XLS file has a SHA256


SHA1  e681f239b8bd63af26630410c340d83bad53fe10
MD5   7a2b2afb94c7a5ae18dd3456b559a7c0

According to VirusTotal, 8 products (out of 54) flag it as malware.


According to Jotti, the following four products flagged it:

Eset, Fortinet, Kaspersky and Sophos.

Of the products that flagged it with VirusTotal, Arcabit and Trend found nothing

According to Opswat Metascan online, four out of 43 flagged it.

Kaspersky, Preventon, Sophos and ThreatTrack.

Of the products that flagged it with VirusTotal, Eset, Fortinet, TrendMicro found nothing,

So a threat that arrived in my mailbox, is flagged by about 10% of products.

... update ...

Another file, this one is a doc.

MD5:    8875a13b396384acdf18dc6c231bd477
SHA1:    b09d734e793d64964bc9dcf312197c13e9c2de84

Virustotal - flagged by 18 out of 55
Metascan - flagged by 4 out of 43
Jotti - flagged by 12 out of  21


  1. I still working on you idea about email flitttering, it will be ready hurley January, if you would like you free copies please send me youse bank details, (to proof identification) and I will sends you your vary own copy to review and yous can keep it.

    But really i am concerned, we use Kaspersky here, and I wonder if we should change it, although to be fair I'm not aware of very many virus/threats getting through.

  2. Thanks for your kind offer of an email filter, but I already have my own. Perhaps one of the readers of this blog will take you up on the offer.

    I don't know how well Kaspersky compares with other products. Maybe you should upload some of the suspicious files that arrive in your mailbox to one of the three sites I cite above, that will check it against a bunch of products.