• trojan inside xls file

    From August Abolins@2:221/1.58 to All on Tue Mar 10 09:25:00 2020
    Hello!

    There's a bogus .xls file going around with a malware payload. This is the second such email I've receive in about 3 days:

    eg. invoice_554137.xls

    What is interesting.. although the filename downloaded is named as per
    above, VirusTotal reports the filename to be different! So, it's
    behaving like a file within a file within a file within.. etc.


    Processing it at VirusTotal produces:

    bff54499db6c578c8b3b842c70d8cb9d30bbe6ec4b04726bfbfaa104346a92ce invoice_908873.xls
    65.50 KB

    9 engines detected this file

    ESET-NOD32
    DOC/TrojanDownloader.Agent.AUI

    Ikarus
    Win32.SuspectCrc

    Kaspersky
    HEUR:Trojan.MSOffice.Pederr.gen

    Microsoft
    Trojan:Win32/Emali.A!cl

    Qihoo-360
    Generic/Trojan.07c

    Sophos AV
    Troj/DocDl-XSO

    Symantec
    Trojan.Mdropper

    TACHYON
    Trojan/XF.Downloader.Gen

    ZoneAlarm by Check Point
    HEUR:Trojan.MSOffice.Pederr.gen

    BitDam ATP
    MALWARE

    Lastline
    MALWARETROJAN

    Ad-Aware
    Undetected

    AegisLab
    Undetected

    AhnLab-V3
    Undetected

    ALYac
    Undetected

    Antiy-AVL
    Undetected

    Arcabit
    Undetected

    Avast
    Undetected

    Avast-Mobile
    Undetected

    AVG
    Undetected

    Avira (no cloud)
    Undetected

    Baidu
    Undetected

    The "popular" engines: AVG, Avast, Ad-Aware, and so on down the list don't detect this thing. Bad news. Beware!


    ../|ug

    --- OpenXP 5.0.43
    * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
  • From August Abolins@2:221/360 to All on Tue Mar 10 16:39:23 2020
    Here's another one.. ESET-NOD32 looks to be among the best ones out there!

    Results at VirusTotal:


    6 engines detected this file

    invoice_507574.xls
    64.00 KB


    ESET-NOD32
    DOC/TrojanDownloader.Agent.AUJ

    Fortinet
    XF/Agent.737E!tr

    Ikarus
    Win32.SuspectCrc

    Kaspersky
    HEUR:Trojan.MSOffice.Pederr.gen

    TACHYON
    Trojan/XF.Downloader.Gen

    ZoneAlarm by Check Point
    HEUR:Trojan.MSOffice.Pederr.gen

    Lastline
    MALWARETROJAN

    Ad-Aware
    Undetected

    AegisLab
    Undetected

    AhnLab-V3
    Undetected

    ALYac
    Undetected

    Antiy-AVL
    Undetected

    Arcabit
    Undetected

    Avast
    Undetected

    Avast-Mobile
    Undetected

    AVG
    Undetected

    Avira (no cloud)
    Undetected

    Baidu
    Undetected

    BitDefender
    Undetected

    BitDefenderTheta
    Undetected

    Bkav
    Undetected

    CAT-QuickHeal
    Undetected

    ClamAV
    Undetected

    CMC
    Undetected

    Comodo
    Undetected

    Cyren
    Undetected

    DrWeb
    Undetected

    Emsisoft
    Undetected

    eScan
    Undetected

    F-Prot
    Undetected

    F-Secure
    Undetected

    FireEye
    Undetected

    GData
    Undetected

    Jiangmin
    Undetected

    K7AntiVirus
    Undetected

    K7GW
    Undetected

    Kingsoft
    Undetected

    Malwarebytes
    Undetected

    MAX
    Undetected

    MaxSecure
    Undetected

    McAfee
    Undetected

    McAfee-GW-Edition
    Undetected

    Microsoft
    Undetected

    NANO-Antivirus
    Undetected

    Panda
    Undetected

    Qihoo-360
    Undetected

    Rising
    Undetected

    Sangfor Engine Zero
    Undetected

    SentinelOne (Static ML)
    Undetected

    Sophos AV
    Undetected

    SUPERAntiSpyware
    Undetected

    Symantec
    Undetected

    Tencent
    Undetected

    TrendMicro
    Undetected

    TrendMicro-HouseCall
    Undetected

    VBA32
    Undetected

    VIPRE
    Undetected

    ViRobot
    Undetected

    Yandex
    Undetected

    Zillya
    Undetected

    Zoner
    Undetected

    Acronis
    Unable to process file type

    Alibaba
    Unable to process file type

    SecureAge APEX
    Unable to process file type

    CrowdStrike Falcon
    Unable to process file type

    Cybereason
    Unable to process file type

    Cylance
    Unable to process file type

    eGambit
    Unable to process file type

    Endgame
    Unable to process file type

    Palo Alto Networks
    Unable to process file type

    Sophos ML
    Unable to process file type

    Symantec Mobile Insight
    Unable to process file type

    Trapmine
    Unable to process file type

    Webroot
    Unable to process file type


    --
    Kad esat sagriezis maizi, to vairs nevarat salikt.

    --- TB68.4.1/Win7
    * Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)
  • From August Abolins@2:221/360 to All on Tue Mar 10 17:11:13 2020
    I forgot to mention.. that the file arrived as:


    invoice_867545.xls ..but when sent to Virus total, it was a different name:

    Results at VirusTotal:

    6 engines detected this file

    invoice_507574.xls
    64.00 KB


    BTW.. I sent it to Google Sheets (to see if I could peek at the payload mechanism details ..apparently it operates via a macro), but it seems to be neutered there without any reason.


    http://pics.rsh.ru/img/scam-invoice-0_xljlzkeh.jpg

    http://pics.rsh.ru/img/scam-invoice-1_ow9bs085.jpg



    --
    Kad esat sagriezis maizi, to vairs nevarat salikt.

    --- TB68.4.1/Win7
    * Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)
  • From mark lewis@1:3634/12 to August Abolins on Tue Mar 10 12:14:25 2020
    Re: trojan inside xls file
    By: August Abolins to All on Tue Mar 10 2020 17:11:13


    I forgot to mention.. that the file arrived as:


    invoice_867545.xls ..but when sent to Virus total, it was a different
    name:

    Results at VirusTotal:

    6 engines detected this file

    invoice_507574.xls
    64.00 KB

    this is common... file names don't mean shit... it is the contents that matter...

    not to mention that no one should be opening anything from unknown senders... especially files that purport to be invoices, shipping notices, or similar...


    )\/(ark
    --- SBBSecho 3.10-Linux
    * Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)
  • From August Abolins@2:221/360 to mark lewis on Tue Mar 10 19:14:19 2020
    On 10/03/2020 12:14 p.m., mark lewis : August Abolins wrote:

    Results at VirusTotal:
    6 engines detected this file
    invoice_507574.xls 64.00 KB

    this is common... file names don't mean shit... it is the
    contents that matter...

    Hi Mark,

    Of course *I* know that. And I hope lurkers of this echo know that.

    And..

    not to mention that no one should be opening anything from
    unknown senders... especially files that purport to be invoices,
    shipping notices, or similar...

    ...that too.

    Some look very similar to the real thing such as a message from Paypal, eBay, Interac, etc.

    I just get pissed off that I have to "deal" with them and get rid of them.

    Sometimes Outlook (my MS Office installation) does a pretty good job putting them in the Junk folder.

    I just can't believe that this method still remains the most effective way to drop a maleware/ransomware payload. And there are people who actually fall for
    it!

    I rarely even answer my own phone (land-line) anymore since most of the calls were stupid "This is your captain speaking.." or "This is your Microsoft specialist..your computer is running slow." I remember getting those way back in the early 2000's when internet momentum was building for dialup users, and the same messages are being used today. I don't bother with phone surveys either.

    But I digress..


    --
    Quoted with Reformator/Quoter. Info = https://tinyurl.com/sxnhuxc

    --- TB68.4.1/Win7
    * Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)
  • From Mike Powell@1:2320/105 to AUGUST ABOLINS on Tue Mar 10 17:56:00 2020
    @MSGID: <5E67ABD5.12.fidoinet@capitolcityonline.net>
    Hello!

    There's a bogus .xls file going around with a malware payload. This is the second such email I've receive in about 3 days:

    eg. invoice_554137.xls

    Here in the states, I have been getting spam text messages which I think
    are trying to get me to download this payload.

    Mike


    * SLMR 2.1a * Now... where did I park that hard disk?
    --- SBBSecho 3.10-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
  • From August Abolins@2:221/360 to Mike Powell on Wed Mar 11 17:18:35 2020
    On 10/03/2020 5:56 p.m., Mike Powell : AUGUST ABOLINS wrote:


    There's a bogus. xls file going around with a malware payload.
    This is the second such email I've receive in about 3 days:

    eg. invoice_554137.xls

    Here in the states, I have been getting spam text messages which
    I think are trying to get me to download this payload.


    In my example, the file has already been delivered as an attachment.

    It's begging to be opened as a normal looking .XLS file. :(

    When I need to send XLS table/data, I usually convert then to PDF which most recipients "trust" especially if they know it's coming from me. And, I don't just send the attachment with a stupid message like: "Here it is." "Open me." I
    always include a message that can identify that the message is 99.999% truly from me. My message includes clues about why the attachment is being sent.

    But I get pissed off at emails that purport to be Resumes, arrive as .ZIP attachments, and the body of the message says "This is my job application/resume. Password is 1234". Jeeez.


    --
    Quoted with Reformator/Quoter. Info = https://tinyurl.com/sxnhuxc

    --- TB68.4.1/Win7
    * Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)
  • From mark lewis@1:3634/12 to August Abolins on Wed Mar 11 12:31:46 2020
    Re: trojan inside xls file
    By: August Abolins to Mike Powell on Wed Mar 11 2020 17:18:35


    But I get pissed off at emails that purport to be Resumes,
    arrive as .ZIP attachments, and the body of the message
    says "This is my job application/resume. Password is 1234".
    Jeeez.

    don't get mad... work with your software and adjust its filtering to better catch the c4rp...

    the reason this is done is "social hacking" at its best... barnum was right... remember, the 419 scams are still quite viable and in play today ;)


    )\/(ark
    --- SBBSecho 3.10-Linux
    * Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)
  • From Mike Powell@1:2320/105 to AUGUST ABOLINS on Wed Mar 11 17:39:00 2020
    But I get pissed off at emails that purport to be Resumes, arrive as .ZIP attachments, and the body of the message says "This is my job application/resume. Password is 1234". Jeeez.

    They are not even putting much effort behind those, are they? :) Of
    course, I am sure they still get some folks who will open it anway.

    Mike


    * SLMR 2.1a * It was all so different before everything changed.
    --- SBBSecho 3.10-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
  • From August Abolins@2:221/1.58 to Mike Powell on Wed Mar 11 20:48:00 2020
    Hello Mike!

    ** 11.03.20 - 17:39, Mike Powell wrote to AUGUST ABOLINS:

    attachments, and the body of the message says "This is my job
    application/resume. Password is 1234". Jeeez.

    They are not even putting much effort behind those, are they? :) Of
    course, I am sure they still get some folks who will open it anway.


    No they're not. But I guess we can be grateful that since it is so
    blatently stupid, it screams "to be avoided".

    I've seen exactly this simple type of scam since the early 2000's. The
    fact that we still see this today probably indicates that it is indeed successful in many cases.

    But it upsets me that there is the innocent unsuspecting internet newbie
    who would automatically go for the "click" before they realize it's too
    late.

    The attachment could actually be an .exe even though it looks like a .zip

    One click, and you're toast.

    Are tablets/smartphones immune to this type of trick?
    Are webbased email accounts immune?

    ../|ug

    --- OpenXP 5.0.43
    * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
  • From August Abolins@2:221/1.58 to August Abolins on Wed Mar 11 21:06:00 2020
    Hello mark!

    ** 11.03.20 - 12:31, mark lewis wrote to August Abolins:

    don't get mad... work with your software and adjust its filtering to
    better catch the c4rp...

    I don't exhibit the same zen you have. ;)

    Although I can spot a lie like and email scam, I just get angry that some innocent person will fall for it.


    the reason this is done is "social hacking" at its best... barnum was
    right... remember, the 419 scams are still quite viable and in play today
    ;)

    I would have to say that the barnum reference is different. With barnum, people had to go to his circus of lies first before they were enticed to
    pay $'s for the big reveal and *then* thereby becoming the suckers.

    In email scams, we're getting the lies sent to us fist assuming that we
    are already the suckers. I resent that premise.

    I admire your zen.


    ../|ug

    --- OpenXP 5.0.43
    * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
  • From Richard Menedetter@2:310/31 to mark lewis on Thu Mar 12 10:06:36 2020
    Hi mark!

    11 Mar 2020 12:31, from mark lewis -> August Abolins:

    But I get pissed off at emails that purport to be Resumes,
    arrive as .ZIP attachments, and the body of the message
    says "This is my job application/resume. Password is 1234".
    Jeeez.
    don't get mad... work with your software and adjust its filtering to better catch the c4rp...

    I have seen a really amazing effect when activating greylisting.

    The number of SPAM mails is now near 0.

    It is quit easy.
    The mailserver refuses the first contact attempt, and allows subsequent ones. Spammers never come back, regular mailservers must, if they are correctly implemented.
    Quit easy and extremely effective!

    CU, Ricsi

    ... Because his parents were easily discouraged, he's an only child.
    --- GoldED+/LNX
    * Origin: Anything that can go wrong will! (2:310/31)