PSA: Don't Open SPAM Containing Password Protected Word Docs

Discussion in 'malware problems & news' started by itman, Jul 13, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I wish Abrams would take a survey on how many fell for this. Might be very enlightening.
    https://www.bleepingcomputer.com/ne...spam-containing-password-protected-word-docs/
     
  2. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Two users at my job today received these. Went though our spam and av filters. I uploaded them to VirusTotal this morning and they came back clean. Just uploaded again and still nothing. What gives?

    Both end users did not do anything with them thankfully.
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Password protected, so some kind of encryption or restricted access?
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The malware dropper is a packed and obfuscated .js file. Until it is unpacked and unobfuscated, cannot be detected by AV signatures. One reason AMS interface was built into Win 10. IF AV vendors use it, it will intercept Powershell, wscript, and jscript files as they decloak and allow AV vendors to scan them prior to execution.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    So far score is 2 received and 0 opened:thumb:
     
  6. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    I figured as much. That will be the day when that happens brother! We use Sophos at work and I submitted both files to them. They replied back today saying they now have signatures for them. However when tested it did not seem to do anything. Unless they are just blocking and detecting upon execution? Not sure
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    If this is the case, there should be something in the Sophos log files about the detection and auto quarantine.
     
  8. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    I plan to follow up with their support.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.