Date: Thu, 17 Dec 2015 16:40:00 +0800
From: Leona Shields <ShieldsLeona93@kotopo.net>
Subject: 12/16 A Invoice
Hi,
Please find attached a recharge invoice for your broadband.
Many thanks,
Leona Shields
The from-name and from-email address is different each time.
SHA256:
a93233dea9b85c139562ee6ccfcbfe787105e721e6a1f1961e4c031d211a9b99 File name:
invoice18216191.doc
This says that it's a doc file, but actually it's a mime-encoded mso (Microsoft office) file.
Virus Total: 52 products pass it as clean
Payload security: Thinks it's a text file, won't scan it.
Metascan: Preventon flags it, 41 products pass it as clean
Jotti: Flagged by Kaspersky, Sophos and Quick Heal, 18 products pass it as clean
Virus Total first saw it 20 minutes ago.
The reason so many products pass it as clean will be partly because it's only arrived so recently, and partly because of the cunning mime-encoding. I'm guessing that Windows Word will automatically decode and load it (if it didn't, there would be no point in emailing it out.)
Update a few minutes later ...
VirusTotal says that Sophos flags it as CXmail/OleDl-A
No comments:
Post a Comment