Date: Wed, 19 Jun 2013 09:39:27 -0500 [10:39:27 EDT]
From: HP Digital Device [HP.Digital0@victimdomain]
Subject: Scanned Copy
Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
To view this document you need to use the Adobe Acrobat Reader.
-------------------------------------------------------------------------------
This email has been scanned for viruses and spam.
-------------------------------------------------------------------------------
The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:
12 BA E8 AC 16 AC 7B AEAnother sample version looks like this, with just 6 bytes:
12 BA E8 AC 16 ACGoogling for 12BAE8AC16AC or 12BAE8AC16AC7BAE gets nothing at all (well, except it will now I've blogged about it). Weird, huh?
22 comments:
I just ran through the same exact process with this file. And came to the same conclusion.
Looks like the baddie should have used a decent crypter.
Anywhoo did you catch the typo in the e-mail that was sent too. LoL.
"use the adobe acrobat"
I've got one that is over 100k
I'm getting these too but my attachments are larger - ~300 Bytes.
Thanks for publishing this. I was expecting a document and I figured this was a virus, but a part of me still wanted to open it. After finding your article glad I didn't. Strange that you're the only posting I've found about this.
Three people in my organization also got it. All around one 100 bytes, one 133 bytes.
"I've got one that is over 100k"
100 k or 100 B
Yes, weirdly it seems to be bigger when displayed in email (about 300 bytes), although perhaps that includes part of the MIME encoding.
Yesterday it was Dunn and Bradstreet with the same characteristis.
if clicked on will it cause any problems??
We've gotten several dozen of these today, but I can't tell if they're from an internal machine that's been compromised, or some external source that happens to have contacts in our company (most seem to go to an invalid mailbox). Symantec Mail Security is quarantining them, but I'd like to figure out how to stop them altogether. Any thoughts?
Thanks.
Had the same emails at our organization, they're showing up as ~300 B attachments in Outlook. Downloaded it a linux vm and viewed the files in a hex editor they're only 8 B.
McAfee Email Gateway picked them up and flagged some of them but we've had users calling all day about them so it must not be getting all of them.
The ones we are receiving appear to be addressed from one of our servers. We're trying to figure out if they're spoofed or if we've got an infected server now. Our organization's directory is publicly accessible on our web site so spoofing attacks that hit most of our employees aren't unusual.
I'm having the same issue.
ESET stripped the ones I got earlier today(which had larger package) but the ones this afternoon are not being flagged and also appear to small (338 Bytes in outlook, 162 bytes on disk)
These are using a spoofed address to appear to come from a printer inside your organisation, they are coming externally though.
We block EXE-in-ZIP files at the perimeter though, so I too was concerned that these were coming from an internal source and were being stripped off by something internal. But it wasn't the case.
And yes.. the users have been calling the helpdesk all day!
Has anyone figured out what the deal is?
I thought it might have contained just a link to where the package was hosted but you guys just found the short strings.
Perhaps the infected server that is sending it out has AV that started stripping them before sending.
Getting a few of these too.
Attachment names same bytes:
HP_Scan_06192013.zip (12 BA E8 AC 16 AC 7B AE)
HP_Scan_06292013_398.zip (12 BA E8 AC 16 AC 7B AE)
I have noticed that the file name(s) are changing. HP_Scan_ stays the same but the ##### at the end keeps changing.
This is some sort of error on the part of the spammer(s). They've been sending broken zip attachments for at least two weeks now.
If you want to see what those bytes mean, plug them into a base64 encoder and everything should make sense.
For example, enter 12BAE8AC16AC7BAE into the hex field here: http://home.paulschou.net/tools/xlate/
Shhhh... Don't tell them they are broken!
Allow me to add the details as following pastebin: http://pastebin.com/raw.php?i=ErPMafRf
Is a buggy RAT/#bonet was used in this shot of campaign, hope to be as buggy as possible for the future too. ;-)
#MalwareMustDie!
Password Stealer
Connects to :
bagdup. com : 80 (174.140.168.239)
We received a variant of this email yesterday. The email was from Staples titled "Staples Advantage Invoice Delivery".
Post a Comment