Sponsored by..

Wednesday 19 June 2013

HP Spam / HP_Scan_06292013_398.zip FAIL

I've been seeing these spams for a couple of days now..

Date:      Wed, 19 Jun 2013 09:39:27 -0500 [10:39:27 EDT]
From:      HP Digital Device [HP.Digital0@victimdomain]
Subject:      Scanned Copy

Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.

To view this document you need to use the Adobe Acrobat Reader.

This email has been scanned for viruses and spam.

The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:
12 BA E8 AC 16 AC 7B AE
 Another sample version looks like this, with just 6 bytes:
12 BA E8 AC 16 AC
Googling for 12BAE8AC16AC or 12BAE8AC16AC7BAE gets nothing at all (well, except it will now I've blogged about it). Weird, huh?


Unknown said...

I just ran through the same exact process with this file. And came to the same conclusion.

Looks like the baddie should have used a decent crypter.

Anywhoo did you catch the typo in the e-mail that was sent too. LoL.

"use the adobe acrobat"

Unknown said...

I've got one that is over 100k

Unknown said...

I'm getting these too but my attachments are larger - ~300 Bytes.

recoverycomedy said...

Thanks for publishing this. I was expecting a document and I figured this was a virus, but a part of me still wanted to open it. After finding your article glad I didn't. Strange that you're the only posting I've found about this.

recoverycomedy said...
This comment has been removed by the author.
Unknown said...

Three people in my organization also got it. All around one 100 bytes, one 133 bytes.

Unknown said...

"I've got one that is over 100k"

100 k or 100 B

Conrad Longmore said...

Yes, weirdly it seems to be bigger when displayed in email (about 300 bytes), although perhaps that includes part of the MIME encoding.

Yesterday it was Dunn and Bradstreet with the same characteristis.

jasermd said...

if clicked on will it cause any problems??

Unknown said...

We've gotten several dozen of these today, but I can't tell if they're from an internal machine that's been compromised, or some external source that happens to have contacts in our company (most seem to go to an invalid mailbox). Symantec Mail Security is quarantining them, but I'd like to figure out how to stop them altogether. Any thoughts?

Chris said...
This comment has been removed by the author.
Chris said...

Had the same emails at our organization, they're showing up as ~300 B attachments in Outlook. Downloaded it a linux vm and viewed the files in a hex editor they're only 8 B.

McAfee Email Gateway picked them up and flagged some of them but we've had users calling all day about them so it must not be getting all of them.

The ones we are receiving appear to be addressed from one of our servers. We're trying to figure out if they're spoofed or if we've got an infected server now. Our organization's directory is publicly accessible on our web site so spoofing attacks that hit most of our employees aren't unusual.

TravisX² said...

I'm having the same issue.
ESET stripped the ones I got earlier today(which had larger package) but the ones this afternoon are not being flagged and also appear to small (338 Bytes in outlook, 162 bytes on disk)

Conrad Longmore said...

These are using a spoofed address to appear to come from a printer inside your organisation, they are coming externally though.

We block EXE-in-ZIP files at the perimeter though, so I too was concerned that these were coming from an internal source and were being stripped off by something internal. But it wasn't the case.

And yes.. the users have been calling the helpdesk all day!

TravisX² said...

Has anyone figured out what the deal is?
I thought it might have contained just a link to where the package was hosted but you guys just found the short strings.
Perhaps the infected server that is sending it out has AV that started stripping them before sending.

Unknown said...

Getting a few of these too.

Attachment names same bytes:

HP_Scan_06192013.zip (12 BA E8 AC 16 AC 7B AE)

HP_Scan_06292013_398.zip (12 BA E8 AC 16 AC 7B AE)

TravisX² said...

I have noticed that the file name(s) are changing. HP_Scan_ stays the same but the ##### at the end keeps changing.

Unknown said...

This is some sort of error on the part of the spammer(s). They've been sending broken zip attachments for at least two weeks now.

If you want to see what those bytes mean, plug them into a base64 encoder and everything should make sense.

For example, enter 12BAE8AC16AC7BAE into the hex field here: http://home.paulschou.net/tools/xlate/

TravisX² said...

Shhhh... Don't tell them they are broken!

unixfreaxjp said...

Allow me to add the details as following pastebin: http://pastebin.com/raw.php?i=ErPMafRf

Is a buggy RAT/#bonet was used in this shot of campaign, hope to be as buggy as possible for the future too. ;-)


Unknown said...

Password Stealer

Connects to :

bagdup. com : 80 (

Unknown said...

We received a variant of this email yesterday. The email was from Staples titled "Staples Advantage Invoice Delivery".