Subjects may be (there are many variants where the number differs):
Re: Scan from a HP ScanJet #920330420
Fwd: Re: Scan from a Hewlett-Packard ScanJet 02872405
That notification is great, besides for the fact I didn't scan anything:
You received your document !
The text reads:
Attached document was scanned and sent
to you using a Hewlett-Packard I-25625SL.
SENT BY : ORPHA
PAGES : 4
FILETYPE: .DOC [Word2003 File]
Classical social engineering trick: they let you believe the file is a Word document. If we open the ZIP-archive, we can clearly see it's just an EXE file. Did they forget to change the icon for a Word icon perhaps ?
The filetype is clearly an application, not a Word document
Let's see some more information about this file:
HP_Scan_N989397452.exe
Result: 18/41
MD5: e187763c92e2acc6bb1c804309ebb381
VirusTotal Report
ThreatExpert Report
Anubis Report
The file tries to phone home to 78.46.64.17 - to fetch instructions - which seems to be part of the Feodo botnet. - IPvoid result
In case you're wondering, the mails were sent by the Cutwail spam botnet. Some example IPs:
190.43.118.189 - IPvoid result
211.221.155.211 - IPvoid result
Conclusion
Pretty simple. Never open any emails from unknown senders, and certainly not attachments.
No comments:
Post a Comment