Thursday 17 December 2015

Another malware

Date: Thu, 17 Dec 2015 16:40:00 +0800
From: Leona Shields <>
Subject: 12/16 A Invoice

Please find attached a recharge invoice for your broadband.

Many thanks,
Leona Shields

The from-name and from-email address is different each time.
 SHA256: a93233dea9b85c139562ee6ccfcbfe787105e721e6a1f1961e4c031d211a9b99 File name: invoice18216191.doc

This says that it's a doc file, but actually it's a mime-encoded mso (Microsoft office) file.

Virus Total: 52 products pass it as clean
Payload security: Thinks it's a text file, won't scan it.
Metascan: Preventon flags it, 41 products pass it as clean
Jotti: Flagged by Kaspersky, Sophos and Quick Heal,  18 products pass it as clean

 Virus Total first saw it 20 minutes ago.

The reason so many products pass it as clean will be partly because it's only arrived so recently, and partly because of the cunning mime-encoding. I'm guessing that Windows Word will automatically decode and load it (if it didn't, there would be no point in emailing it out.)

Update a few minutes later ...

VirusTotal says that Sophos flags it as CXmail/OleDl-A

No comments:

Post a Comment