Hello!

There's a bogus .xls file going around with a malware payload. This is the second such email I've receive in about 3 days:

eg. invoice_554137.xls

What is interesting.. although the filename downloaded is named as per
above, VirusTotal reports the filename to be different! So, it's
behaving like a file within a file within a file within.. etc.


Processing it at VirusTotal produces:

bff54499db6c578c8b3b842c70d8cb9d30bbe6ec4b04726bfbfaa104346a92ce invoice_908873.xls
65.50 KB

9 engines detected this file

ESET-NOD32
DOC/TrojanDownloader.Agent.AUI

Ikarus
Win32.SuspectCrc

Kaspersky
HEUR:Trojan.MSOffice.Pederr.gen

Microsoft
Trojan:Win32/Emali.A!cl

Qihoo-360
Generic/Trojan.07c

Sophos AV
Troj/DocDl-XSO

Symantec
Trojan.Mdropper

TACHYON
Trojan/XF.Downloader.Gen

ZoneAlarm by Check Point
HEUR:Trojan.MSOffice.Pederr.gen

BitDam ATP
MALWARE

Lastline
MALWARETROJAN

Ad-Aware
Undetected

AegisLab
Undetected

AhnLab-V3
Undetected

ALYac
Undetected

Antiy-AVL
Undetected

Arcabit
Undetected

Avast
Undetected

Avast-Mobile
Undetected

AVG
Undetected

Avira (no cloud)
Undetected

Baidu
Undetected

The "popular" engines: AVG, Avast, Ad-Aware, and so on down the list don't detect this thing. Bad news. Beware!


../|ug

--- OpenXP 5.0.43
* Origin: /|ug's Point, Ont. CANADA (2:221/1.58)

Here's another one.. ESET-NOD32 looks to be among the best ones out there!

Results at VirusTotal:


6 engines detected this file

invoice_507574.xls
64.00 KB


ESET-NOD32
DOC/TrojanDownloader.Agent.AUJ

Fortinet
XF/Agent.737E!tr

Ikarus
Win32.SuspectCrc

Kaspersky
HEUR:Trojan.MSOffice.Pederr.gen

TACHYON
Trojan/XF.Downloader.Gen

ZoneAlarm by Check Point
HEUR:Trojan.MSOffice.Pederr.gen

Lastline
MALWARETROJAN

Ad-Aware
Undetected

AegisLab
Undetected

AhnLab-V3
Undetected

ALYac
Undetected

Antiy-AVL
Undetected

Arcabit
Undetected

Avast
Undetected

Avast-Mobile
Undetected

AVG
Undetected

Avira (no cloud)
Undetected

Baidu
Undetected

BitDefender
Undetected

BitDefenderTheta
Undetected

Bkav
Undetected

CAT-QuickHeal
Undetected

ClamAV
Undetected

CMC
Undetected

Comodo
Undetected

Cyren
Undetected

DrWeb
Undetected

Emsisoft
Undetected

eScan
Undetected

F-Prot
Undetected

F-Secure
Undetected

FireEye
Undetected

GData
Undetected

Jiangmin
Undetected

K7AntiVirus
Undetected

K7GW
Undetected

Kingsoft
Undetected

Malwarebytes
Undetected

MAX
Undetected

MaxSecure
Undetected

McAfee
Undetected

McAfee-GW-Edition
Undetected

Microsoft
Undetected

NANO-Antivirus
Undetected

Panda
Undetected

Qihoo-360
Undetected

Rising
Undetected

Sangfor Engine Zero
Undetected

SentinelOne (Static ML)
Undetected

Sophos AV
Undetected

SUPERAntiSpyware
Undetected

Symantec
Undetected

Tencent
Undetected

TrendMicro
Undetected

TrendMicro-HouseCall
Undetected

VBA32
Undetected

VIPRE
Undetected

ViRobot
Undetected

Yandex
Undetected

Zillya
Undetected

Zoner
Undetected

Acronis
Unable to process file type

Alibaba
Unable to process file type

SecureAge APEX
Unable to process file type

CrowdStrike Falcon
Unable to process file type

Cybereason
Unable to process file type

Cylance
Unable to process file type

eGambit
Unable to process file type

Endgame
Unable to process file type

Palo Alto Networks
Unable to process file type

Sophos ML
Unable to process file type

Symantec Mobile Insight
Unable to process file type

Trapmine
Unable to process file type

Webroot
Unable to process file type


--
Kad esat sagriezis maizi, to vairs nevarat salikt.

--- TB68.4.1/Win7
* Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)

I forgot to mention.. that the file arrived as:


invoice_867545.xls ..but when sent to Virus total, it was a different name:

Results at VirusTotal:

6 engines detected this file

invoice_507574.xls
64.00 KB


BTW.. I sent it to Google Sheets (to see if I could peek at the payload mechanism details ..apparently it operates via a macro), but it seems to be neutered there without any reason.


http://pics.rsh.ru/img/scam-invoice-0_xljlzkeh.jpg

http://pics.rsh.ru/img/scam-invoice-1_ow9bs085.jpg



--
Kad esat sagriezis maizi, to vairs nevarat salikt.

--- TB68.4.1/Win7
* Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)

Re: trojan inside xls file
By: August Abolins to All on Tue Mar 10 2020 17:11:13

I forgot to mention.. that the file arrived as:

invoice_867545.xls ..but when sent to Virus total, it was a different

name:

Results at VirusTotal:

6 engines detected this file

invoice_507574.xls
64.00 KB

this is common... file names don't mean shit... it is the contents that matter...

not to mention that no one should be opening anything from unknown senders... especially files that purport to be invoices, shipping notices, or similar...


)\/(ark
--- SBBSecho 3.10-Linux
* Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)

On 10/03/2020 12:14 p.m., mark lewis : August Abolins wrote:

Results at VirusTotal:
6 engines detected this file
invoice_507574.xls 64.00 KB

this is common... file names don't mean shit... it is the
contents that matter...

Hi Mark,

Of course *I* know that. And I hope lurkers of this echo know that.

And..

not to mention that no one should be opening anything from
unknown senders... especially files that purport to be invoices,
shipping notices, or similar...

...that too.

Some look very similar to the real thing such as a message from Paypal, eBay, Interac, etc.

I just get pissed off that I have to "deal" with them and get rid of them.

Sometimes Outlook (my MS Office installation) does a pretty good job putting them in the Junk folder.

I just can't believe that this method still remains the most effective way to drop a maleware/ransomware payload. And there are people who actually fall for
it!

I rarely even answer my own phone (land-line) anymore since most of the calls were stupid "This is your captain speaking.." or "This is your Microsoft specialist..your computer is running slow." I remember getting those way back in the early 2000's when internet momentum was building for dialup users, and the same messages are being used today. I don't bother with phone surveys either.

But I digress..


--
Quoted with Reformator/Quoter. Info = https://tinyurl.com/sxnhuxc

--- TB68.4.1/Win7
* Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)

@MSGID: <5E67ABD5.12.fidoinet@capitolcityonline.net>
Hello!

There's a bogus .xls file going around with a malware payload. This is the second such email I've receive in about 3 days:

eg. invoice_554137.xls

Here in the states, I have been getting spam text messages which I think
are trying to get me to download this payload.

Mike


* SLMR 2.1a * Now... where did I park that hard disk?
--- SBBSecho 3.10-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

On 10/03/2020 5:56 p.m., Mike Powell : AUGUST ABOLINS wrote:

There's a bogus. xls file going around with a malware payload.
This is the second such email I've receive in about 3 days:

eg. invoice_554137.xls

Here in the states, I have been getting spam text messages which
I think are trying to get me to download this payload.

In my example, the file has already been delivered as an attachment.

It's begging to be opened as a normal looking .XLS file. :(

When I need to send XLS table/data, I usually convert then to PDF which most recipients "trust" especially if they know it's coming from me. And, I don't just send the attachment with a stupid message like: "Here it is." "Open me." I
always include a message that can identify that the message is 99.999% truly from me. My message includes clues about why the attachment is being sent.

But I get pissed off at emails that purport to be Resumes, arrive as .ZIP attachments, and the body of the message says "This is my job application/resume. Password is 1234". Jeeez.


--
Quoted with Reformator/Quoter. Info = https://tinyurl.com/sxnhuxc

--- TB68.4.1/Win7
* Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)

Re: trojan inside xls file
By: August Abolins to Mike Powell on Wed Mar 11 2020 17:18:35

But I get pissed off at emails that purport to be Resumes,
arrive as .ZIP attachments, and the body of the message
says "This is my job application/resume. Password is 1234".
Jeeez.

don't get mad... work with your software and adjust its filtering to better catch the c4rp...

the reason this is done is "social hacking" at its best... barnum was right... remember, the 419 scams are still quite viable and in play today ;)


)\/(ark
--- SBBSecho 3.10-Linux
* Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)

But I get pissed off at emails that purport to be Resumes, arrive as .ZIP attachments, and the body of the message says "This is my job application/resume. Password is 1234". Jeeez.

They are not even putting much effort behind those, are they? :) Of
course, I am sure they still get some folks who will open it anway.

Mike


* SLMR 2.1a * It was all so different before everything changed.
--- SBBSecho 3.10-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

Hello Mike!

** 11.03.20 - 17:39, Mike Powell wrote to AUGUST ABOLINS:

attachments, and the body of the message says "This is my job
application/resume. Password is 1234". Jeeez.

They are not even putting much effort behind those, are they? :) Of
course, I am sure they still get some folks who will open it anway.

No they're not. But I guess we can be grateful that since it is so
blatently stupid, it screams "to be avoided".

I've seen exactly this simple type of scam since the early 2000's. The
fact that we still see this today probably indicates that it is indeed successful in many cases.

But it upsets me that there is the innocent unsuspecting internet newbie
who would automatically go for the "click" before they realize it's too
late.

The attachment could actually be an .exe even though it looks like a .zip

One click, and you're toast.

Are tablets/smartphones immune to this type of trick?
Are webbased email accounts immune?

../|ug

--- OpenXP 5.0.43
* Origin: /|ug's Point, Ont. CANADA (2:221/1.58)

Hello mark!

** 11.03.20 - 12:31, mark lewis wrote to August Abolins:

don't get mad... work with your software and adjust its filtering to
better catch the c4rp...

I don't exhibit the same zen you have. ;)

Although I can spot a lie like and email scam, I just get angry that some innocent person will fall for it.

the reason this is done is "social hacking" at its best... barnum was
right... remember, the 419 scams are still quite viable and in play today
;)

I would have to say that the barnum reference is different. With barnum, people had to go to his circus of lies first before they were enticed to
pay $'s for the big reveal and *then* thereby becoming the suckers.

In email scams, we're getting the lies sent to us fist assuming that we
are already the suckers. I resent that premise.

I admire your zen.


../|ug

--- OpenXP 5.0.43
* Origin: /|ug's Point, Ont. CANADA (2:221/1.58)

Hi mark!

11 Mar 2020 12:31, from mark lewis -> August Abolins:

But I get pissed off at emails that purport to be Resumes,
arrive as .ZIP attachments, and the body of the message
says "This is my job application/resume. Password is 1234".
Jeeez.

don't get mad... work with your software and adjust its filtering to better catch the c4rp...

I have seen a really amazing effect when activating greylisting.

The number of SPAM mails is now near 0.

It is quit easy.
The mailserver refuses the first contact attempt, and allows subsequent ones. Spammers never come back, regular mailservers must, if they are correctly implemented.
Quit easy and extremely effective!

CU, Ricsi

... Because his parents were easily discouraged, he's an only child.
--- GoldED+/LNX
* Origin: Anything that can go wrong will! (2:310/31)