Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unsolicited emails with .doc attachments


  • Please log in to reply
16 replies to this topic

#1 Al1000

Al1000

  • Global Moderator
  • 7,979 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:47 AM

Posted 22 October 2014 - 11:27 AM

To begin with, I found a Windows virus in Trash on my Linux operating system today, which I suspect I downloaded with Thunderbird a couple of weeks ago and mentioned it here, but I don't think my computer has been infected.

A few days ago Thunderbird downloaded another email with a .doc attachment, and today I got another one. One was sent from an email address ending in .es which I presume would be Estonia, and the other one looked Chinese. Both emails said the attachments are invoices, and neither contained any of my personal information other than my email address. I also have Thunderbird set to block remote content.

Out of curiosity I saved the .doc attachments to a USB stick (that the computer thinks is a CDROM - it's an old USB stick), and the 'find' command on my Linux terminal which determines the file type, says, about the one I received a few days ago:

al@my_desktop_pc:/media/al/CDROM$ file Copy1935-12.doc 
Copy1935-12.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: I, Template: Normal.dot, Last Saved By: I, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Mon Oct 20 11:29:00 2014, Last Saved Time/Date: Mon Oct 20 11:32:00 2014, Number of Pages: 121, Number of Words: 46463, Number of Characters: 264842, Security: 0
I have other Word documents that I created myself in Windows on this computer, and the output of the 'file' command for them is similar to the above.

The output of 'file' for the one I received today, is:

al@my_desktop_pc:/media/al/CDROM$ file AG7005208AU.doc 
AG7005208AU.doc: Microsoft Word 2007+
I clicked on the first one at the time after reading the output of 'file' and it opened in Libre Office, but just looked like a bunch of jumbled characters with no spaces between them, most of which were upper-case letters. I haven't tried opening the other one, even though the computer says its a Microsoft Office 2007 document, just in case it isn't.

I'm curious to know why anyone would go to the trouble of sending me an email with an attachment that doesn't contain any information, and claiming that it's an invoice? Is it possible that these aren't Microsoft Word documents, even though the computer says they are? I'm particularly suspicious of AG7005208AU.doc because the output of 'file' is simply 'Microsoft Word 2007+' rather than the more detailed output that I would have expected.

All of the above were sent to the same email address, which is provided by a business rather than a residential ISP, which I have had for many years and regard as my main email address for personal use, and which I have managed to keep relatively free of spam. But I recently set about clicking on the 'unsubscribe' links in all of the spam emails that I was receiving, and wonder if doing so could have alerted someone with nefarious intentions that this email address is being used?

Finally, other than changing my email address, or logging into the server to access my email instead of downloading it with Thunderbird, is there anything I can do to stop these emails being downloaded?

Edited by Al1000, 22 October 2014 - 11:30 AM.


BC AdBot (Login to Remove)

 


#2 wizardfromoz

wizardfromoz

  • Banned
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 22 October 2014 - 06:20 PM

Have you read all of Lawrence's epistle, in particular on page 2, here?

 

The part I am interested in is:

 

 

They are typically emails that pretend to be from a business that people commonly work with. UPS, Fedex, Xerox, etc. They contain zips that pretend to be scans, business correspondences, tracking information, etc. Inside the zip files are files that have a PDF icon, but are actually executables with .exe, .scr, etc extensions. The file would be named something like shipping-confirmation.pdf.scr. As Windows does not show extensions by default, the file would just look like shipping-confirmation.pdf, so people assume its a PDF file. When you double-click on it to open it, it infects your computer and then deletes itself.

 

 I understand your circumstances are different, but there may be a connection?

 

I don't unsubscribe, I just delete 'em. Occasionally I will try tracking the source with a Who Is with a Regional Registry (APNIC in Oz's case).

 

If an email contains what looks like a block of fairly unique text, I will block it and Advanced Search, and often come up with a hoax or scam listed at Nuketown or Urban Legends, etc.

 

 

is there anything I can do to stop these emails being downloaded?

 

Don't rely on ME for a quick answer, the concept of "quick Wizard" is an oxymoron, lol. But I'll look when I can.

 

:wizardball:



#3 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:01:47 AM

Posted 22 October 2014 - 09:02 PM

<snip>
A few days ago Thunderbird downloaded another email with a .doc attachment, and today I got another one. One was sent from an email address ending in .es which I presume would be Estonia, and the other one looked Chinese. <snip>


FWIW: Estonia 2 digit country code is EE. ES is Spain.

Source: http://countrycode.org/

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#4 wizardfromoz

wizardfromoz

  • Banned
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 22 October 2014 - 10:00 PM

Aitäh (thankyou in Estonian) and Gracias (español)



#5 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:47 AM

Posted 22 October 2014 - 10:02 PM

The best way to deal with suspicious email is to delete any of these w/out opening. Do Not click any 'unsubscribe' links if one has been opened. If there's an option to report one as Spam or Junk, do so, and then empty the junk folder afterwards. One way that will help to determine spammers is be keeping our Address/Contact lists current. There's no need to keep contacts of those we haven't done business with in the last 5 years. In the event that we do again, these can always be re-added. These lists helps the email client to determine, if it's real or spam/junk. 

 

Each & every one of us should know if we're expecting a package, or a copy of an invoice, as well as where it's coming from. Many will then send out tracking numbers, but there will never be a reference to a lost package, and no attachment will be needed to receive what one pays for. It's the way I've done business on the Internet for nearly 20 years (since Windows '95), and I don't expect this to change. The only times one should be getting messages from carriers, is if we the customer, signs up for status updates, possibly for future movement, and when on the way or delivered. 

 

Any other Shipping notices should be marked as Spam/Junk, and then the folder emptied. This trains the email program of client on how to look for such notices. Sometimes I get these in my Microsoft Account, but 98 out of 100 times, it'll be in the Junk folder, where I can glance at what's in there & as long as none of my good emails are there (this seldom happens), empty the folder w/out opening the emails. 

 

In the case where any of these are opened on a Linux computer, the chances of getting infected, while not impossible, is far less than on a Windows install. Except in extreme cases, where one clicks onto something & then the sudo password was requested & entered (who would do this?), there's no need to worry, because the sudo password has to be entered to execute anything. That is why I'm an opponent of any watering down of security to save, what, 15-30 seconds? If speed is a concern, purchase an SSD to speed along the entire system. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#6 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,979 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:47 AM

Posted 23 October 2014 - 09:05 AM

Have you read all of Lawrence's epistle, in particular on page 2, here?


Not until now. This part particularly interests me:
 

 

Okay, my next question is, what does this infection look like BEFORE it is launched and parents itself on a system?  I've read from malware site that they can eliminate it, (but not decrypt your files) and only after it infects a machine.  What does this look like BEFORE it is launched and what anti virus catches it... eg. what can scan this as a 'bad pdf' and recognize the threat?
We all know what it looks like AFTER it's hit, leaving the three main files in every encryped directory.  What program will catch this sucker before it launches?

They are typically emails that pretend to be from a business that people commonly work with. UPS, Fedex, Xerox, etc. They contain zips that pretend to be scans, business correspondences, tracking information, etc. Inside the zip files are files that have a PDF icon, but are actually executables with .exe, .scr, etc extensions. The file would be named something like shipping-confirmation.pdf.scr. As Windows does not show extensions by default, the file would just look like shipping-confirmation.pdf, so people assume its a PDF file. When you double-click on it to open it, it infects your computer and then deletes itself.

All mainstream antivirus programs will detect it. Unfortunately, these malware developers commonly change their executables so that they elude detection by an anti-virus software. This makes it so the AV companies are constantly playing a catchup game trying to make sure the latest versions are in the definitions. With that said, no AV is perfect and there is no one product that will always protect you from new threats.

 


It was one of these that I downloaded a couple of weeks ago. As far as I understand it, files in Linux are opened for what they are, and not for what they say they are. So if you were to click an executable file masquerading as a .pdf, you would know something was up when the computer asks you for your password. I don't recall exactly how, but I realised that there was an .exe file in there at the time and didn't attempt to open it - not that I would have thought it would be able to do much being a Windows file in a Linux system. But perhaps it replicated itself when I moved it into trash, since there are two of them, as I mentioned in the other thread.

Regarding these .doc attachments, I found a site called VirusTotal which is owned by Google, and which seems to use over 50 virus scanners to scan any file (max 128MB) that you upload to it. So I uploaded both of these files, and several of the scanners identified them as malicious.

https://www.virustotal.com/uk/file/aa77973a76dbe39516b1f021229516e4104a05cd8d301d772b55f11363a2e5e6/analysis/1414071729/

https://www.virustotal.com/uk/file/d328ceac71beead36034d6f74671a84c197cf2fa9e2155885aa720363045eb0e/analysis/1414071509/
 

Although interestingly, DrWeb is among the scanners that identifies both files as malicious, and I have scanned both of them with my own DrWeb CD (after updating virus definitions) and both files were reported as clean.


Edited by Al1000, 23 October 2014 - 09:12 AM.


#7 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,979 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:47 AM

Posted 23 October 2014 - 09:07 AM

FWIW: Estonia 2 digit country code is EE. ES is Spain.

 

Thanks!



#8 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,979 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:47 AM

Posted 23 October 2014 - 09:08 AM

The best way to deal with suspicious email is to delete any of these w/out opening. Do Not click any 'unsubscribe' links if one has been opened

 

That seems like a good idea, although it never occurred to me at the time that any of these emails I unsubscribed to would be anything other than innocent spam, i.e. people trying to sell me stuff.


Edited by Al1000, 23 October 2014 - 09:09 AM.


#9 wizardfromoz

wizardfromoz

  • Banned
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 23 October 2014 - 03:38 PM

 

innocent spam

 

... isn't that an oxymoron?

 

Good luck mate, keep us posted any new devs.

 

:wizardball:



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 24 October 2014 - 03:38 PM

I'm curious to know why anyone would go to the trouble of sending me an email with an attachment that doesn't contain any information, and claiming that it's an invoice? Is it possible that these aren't Microsoft Word documents, even though the computer says they are? I'm particularly suspicious of AG7005208AU.doc because the output of 'file' is simply 'Microsoft Word 2007+' rather than the more detailed output that I would have expected.
 

 

This is often done by criminals who try to infect people's computers.

 

The files can be anything, regardless of their extension.

If you submit them to VirusTotal and post the link to the reports here, I'll have a look and let you know.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:47 AM

Posted 24 October 2014 - 04:03 PM

You should set up the e-mail so that no images are shown in the e-mail body, but rather as attachments.  The reason is that there are spammers that include things like a 1 pixel clear image in an e-mail message so that they know they have a live account when the e-mail is opened.  If images are present only as attachments, however, that foils that method.

 

Any suspected spam should be straight deleted without opening or viewing.  Clicking unsuscribe doesn't help, that will simply result in your receiving even more spam.

 

If you're unsure about an e-mail, instead of opening it, save it as a file.  Then open it using a plain text editor, such as notepad.  Yes, there will be gibberish in there, but you won't be executing any bad stuff, and you should be able to tell if the e-mail is legit. or not.

 

~ OB :cherry:


Edited by Orange Blossom, 24 October 2014 - 04:04 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#12 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,979 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:47 AM

Posted 25 October 2014 - 07:05 AM

This is often done by criminals who try to infect people's computers.

The files can be anything, regardless of their extension.
If you submit them to VirusTotal and post the link to the reports here, I'll have a look and let you know.


Thanks. I already submitted them to VirusTotal, and the links in post #6 are to the results of the scans.

#13 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,979 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:47 AM

Posted 25 October 2014 - 07:16 AM

You should set up the e-mail so that no images are shown in the e-mail body, but rather as attachments. The reason is that there are spammers that include things like a 1 pixel clear image in an e-mail message so that they know they have a live account when the e-mail is opened. If images are present only as attachments, however, that foils that method.

That is how I do have it set up, and I previously had Outlook Express in XP set up the same way for many years.
 

Any suspected spam should be straight deleted without opening or viewing. Clicking unsuscribe doesn't help, that will simply result in your receiving even more spam.

I think that most of them must have been legitimate, as I'm not receiving nearly so much spam now. For example over the last five days I have only received another four unsolicited emails, in addition to the second one in the OP. I'm not sure what I used to average, but I have over 4,000 unopened unsolicited emails backed up from Outlook Express, which I saved when I deleted my old XP installation and switched to Thunderbird on Linux. Out of the four emails, three appear to be from legitimate companies - although I will make sure that they are before I click on the unsubscribe links this time.

The other one is from editor@e.foreignaffairs.com, and Thunderbird is warning me that this one may be a scam - so I'll leave it well alone.
 

If you're unsure about an e-mail, instead of opening it, save it as a file. Then open it using a plain text editor, such as notepad. Yes, there will be gibberish in there, but you won't be executing any bad stuff, and you should be able to tell if the e-mail is legit. or not.

~ OB :cherry:

Thanks for the advice.


Edited by Al1000, 25 October 2014 - 07:26 AM.


#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 25 October 2014 - 08:43 AM

https://www.virustotal.com/uk/file/aa77973a76dbe39516b1f021229516e4104a05cd8d301d772b55f11363a2e5e6/analysis/1414071729/

https://www.virustotal.com/uk/file/d328ceac71beead36034d6f74671a84c197cf2fa9e2155885aa720363045eb0e/analysis/1414071509/
 

Although interestingly, DrWeb is among the scanners that identifies both files as malicious, and I have scanned both of them with my own DrWeb CD (after updating virus definitions) and both files were reported as clean.

 

 

The first file is a malicious .doc file.

The second file is a malicious .docx file with a VBA macro that executes a PowerShell script.

 

Since you are not using Microsoft Office on Windows, you run no risk, even if you opened the files with OpenOffice or LibreOffice on Linux.

OpenOffice or LibreOffice don't have the same vulnerabilities as Microsoft Office, and they don't support VBA.


Edited by Didier Stevens, 25 October 2014 - 10:24 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,979 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:47 AM

Posted 25 October 2014 - 09:46 AM

Many thanks for the info. Indeed, if I was using Windows I wouldn't have taken the chance, but curiosity got the better of me since I'm now using Linux.

As I mentioned in the OP I clicked on the first one at the time, which would be the malicious .doc file, and it (automatically) opened in Libre Office.

I think my curiosity has been satisfied now, and I'll just delete any unsolicited attachments from now on without opening them.

Thanks again!

Edited by Al1000, 25 October 2014 - 09:47 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users