• trojan inside. another one

    From August Abolins@2:221/360 to All on Thu Mar 12 19:33:01 2020
    Got another one. Thankfully my email service parked it inside the JUNK folder on
    the server side.

    =-=-= the suspect BEGIN =-=-=

    Invoice Due #974051
    From Leanor Dana <money@provincialset.online>
    Date Wed 10:43 am
    Attachments: ref_791186.xls (~65 KB)
    Message Body:

    Good Morning,

    Your invoice is attached.

    Please remit payment at your earliest convenience.

    Thank you for your business.


    Lolly Lana

    CPA + Partner
    Coval Anderson Coval LLC
    868 Washington St
    Easton, MA 02375

    Tel 508-238-7110
    Fax 508-238-7222

    =-=-= the suspect END =-=-=

    THEN, I sent the attachment to VirusTotal:

    File submitted: ref_791186.xls

    Reconstitutes as: mime-part--98558-4225.xls

    20 engines detected this file

    Ad-Aware Trojan.GenericKD.33535968
    AegisLab Trojan.MSOffice.Pederr.4!c
    Arcabit Trojan.Generic.D1FFB7E0
    BitDefender Trojan.GenericKD.33535968
    Cyren W97M/Agent.D
    DrWeb Exploit.Siggen.62209
    Emsisoft Trojan.GenericKD.33535968 (B)
    eScan Trojan.GenericKD.33535968
    ESET-NOD32 DOC/TrojanDownloader.Agent.AUQ
    F-Prot W97M/Agent.D
    GData Trojan.GenericKD.33535968
    Ikarus Trojan-Downloader.VBA.Agent
    Kaspersky HEUR:Trojan.MSOffice.Pederr.gen
    MAX Malware (ai Score=86)
    McAfee-GW-Edition Artemis
    Microsoft Trojan:Win32/Emali.B!cl
    Qihoo-360 Generic/Trojan.07c
    Sophos AV Troj/DocDl-XUL
    TACHYON Trojan/XF.Downloader.Gen
    ZoneAlarm by Check Point HEUR:Trojan.MSOffice.Pederr.gen

    It is disconcerting that several popular scanners can't detect a problem:

    AhnLab-V3 Undetected
    ALYac Undetected
    Antiy-AVL Undetected
    Avast Undetected <===!!!
    Avast-Mobile Undetected
    AVG Undetected <===!!!
    Avira (no cloud) Undetected
    Baidu Undetected
    BitDefenderTheta Undetected
    Bkav Undetected
    CAT-QuickHeal Undetected
    ClamAV Undetected <===!!!
    CMC Undetected
    Comodo Undetected <===!!!
    F-Secure Undetected <===!!!
    FireEye Undetected
    Fortinet Undetected
    Jiangmin Undetected
    K7AntiVirus Undetected
    K7GW Undetected
    Kingsoft Undetected
    Malwarebytes Undetected <===!!!
    MaxSecure Undetected
    McAfee Undetected <===!!!
    NANO-Antivirus Undetected
    Panda Undetected <===!!!
    Rising Undetected
    Sangfor Engine Zero Undetected
    SentinelOne (Static ML) Undetected
    SUPERAntiSpyware Undetected
    Tencent Undetected
    TrendMicro Undetected <===!!!
    TrendMicro-HouseCall Undetected <===!!!
    VBA32 Undetected
    VIPRE Undetected
    ViRobot Undetected
    Yandex Undetected
    Zillya Undetected
    Zoner Undetected

    Acronis Unable to process file type
    Alibaba Unable to process file type
    SecureAge APEX Unable to process file type
    CrowdStrike Falcon Unable to process file type
    Cybereason Unable to process file type
    Cylance Unable to process file type
    eGambit Unable to process file type
    Endgame Unable to process file type
    Palo Alto Networks Unable to process file type
    Sophos ML Unable to process file type
    Symantec Mobile Insight Unable to process file type
    Trapmine Unable to process file type

    I looked inside the file with Notepad ++. There were a few revelations!

    I feel like sending back a reply with the same attachment. My message would be:

    "See attachment for a reciprocation."

    Our computers are not responding following your email. Please mail paper copy to:

    {insert Police station address here}

    I do not agree with line 3. See attachment.

    I would guess that maybe they have clueless "clerks" who might just fall for their own tricks.

    Kad esat sagriezis maizi, to vairs nevarat salikt.

    --- TB68.4.1/Win7
    * Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)