[clamav-users] Two very similar attachments, one detected, one not.

G.W. Haywood clamav at jubileegroup.co.uk
Tue Sep 6 09:58:39 UTC 2022 

Hi there,

This morning an attempt was made by Digitalocean IP 143.110.237.196 to
send to us a message which contains two malicious attachments.  The two
attachments are almost identical:

8<----------------------------------------------------------------------
$ atool -l AWB\ #\ 5763190392.DOC.zip 
Archive:  AWB # 5763190392.DOC.zip
   Length      Date    Time    Name
---------  ---------- -----   ----
    729600  2022-09-06 02:27   AWB # 5763190392.DOC.exe
---------                     -------
    729600                     1 file

$ atool -l MFT_5763190392.DOCS.zip 
Archive:  MFT_5763190392.DOCS.zip
   Length      Date    Time    Name
---------  ---------- -----   ----
    729600  2022-09-06 02:27   MFT_5763190392.DOCS.exe
---------                     -------
    729600                     1 file
8<----------------------------------------------------------------------

Both are .ZIP archives containing PE32 executables:

8<----------------------------------------------------------------------
$ file AWB\ #\ 5763190392.DOC.zip 
AWB # 5763190392.DOC.zip: Zip archive data, at least v2.0 to extract
$ unzip AWB\ #\ 5763190392.DOC.zip 
Archive:  AWB # 5763190392.DOC.zip
   inflating: AWB # 5763190392.DOC.exe 
$ file AWB\ #\ 5763190392.DOC.exe 
AWB # 5763190392.DOC.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
8<----------------------------------------------------------------------

8<----------------------------------------------------------------------
$ file MFT_5763190392.DOCS.zip 
MFT_5763190392.DOCS.zip: Zip archive data, at least v2.0 to extract
$ unzip MFT_5763190392.DOCS.zip 
Archive:  MFT_5763190392.DOCS.zip
   inflating: MFT_5763190392.DOCS.exe 
$ file MFT_5763190392.DOCS.exe
MFT_5763190392.DOCS.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
8<----------------------------------------------------------------------

The two executables are identical:

8<----------------------------------------------------------------------
-rw-r--r--  1 ged ged 729600 Sep  6 02:27 'AWB # 5763190392.DOC.exe'
-rw-r--r--  1 ged ged 729600 Sep  6 02:27  MFT_5763190392.DOCS.exe
$ md5sum AWB\ #\ 5763190392.DOC.exe  MFT_5763190392.DOCS.exe
6e15bfd980e87e26ba7f3cf5e488a35d  AWB # 5763190392.DOC.exe
6e15bfd980e87e26ba7f3cf5e488a35d  MFT_5763190392.DOCS.exe
8<----------------------------------------------------------------------

Curiously enough, ClamAV detected one of the executables as malicious
(as usual by one of the Sanesecurity signatures), while the other was
not detected by ClamAV at all:

8<----------------------------------------------------------------------
$ clamdscan AWB\ #\ 5763190392.DOC.zip 
/home/ged/AWB # 5763190392.DOC.zip: Sanesecurity.Foxhole.Zip_fs2087.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 37.597 sec (0 m 37 s)
8<----------------------------------------------------------------------

(Our scanner runs on a Pi4B, remote from the mail server.  It isn't quick. :/)

8<----------------------------------------------------------------------
$ clamdscan MFT_5763190392.DOCS.zip
/home/ged/MFT_5763190392.DOCS.zip: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 42.715 sec (0 m 42 s)
8<----------------------------------------------------------------------

On manually submitting the archive files to Jotti, one of the other
virus scanners (f-secure) had a similar issue:

8<----------------------------------------------------------------------
AWB\ #\ 5763190392.DOC.zip 
...//alpha.local.jubileegroup.co.uk/perl/jotti.pl?submit=Jotti+Scan&3e8...
8<----------------------------------------------------------------------
Read 1 parts, length=526974
Summary:
Name:	3e8ab82e437e15159f5f2156719570767190c7e99d05086a595b6f7afaa4e0f2-526974.txt
Size:	514.62kB (526,974 bytes)
Type:	Zip archive
First seen:	September 6, 2022 at 11:33:23 AM GMT+2
MD5:	e3d0a3017ebb112ec0da6fa750cc66ca
SHA1:	f55c1cd28f213152d80b86a1f2e70f568a7fdd94
Status:	Scan finished. 11/15 scanners reported malware.
Scan taken on:	September 6, 2022 at 11:33:25 AM GMT+2
Results:
https://www.avast.com		Sep 6, 2022	Win32:PWSX-gen
https://www.bitdefender.com	Sep 6, 2022	Trojan.GenericKD.61801737
https://www.clamav.net		Sep 6, 2022	Found nothing
https://www.cyren.com		Sep 6, 2022	W32/MSIL_Troj.CIX.gen!Eldorado
https://www.drweb.com		Sep 6, 2022	Found nothing
https://www.escanav.com		Sep 6, 2022	Trojan.GenericKD.61801737
https://www.fortinet.com	Sep 6, 2022	PossibleThreat
https://www.f-secure.com	Sep 6, 2022	Heuristic.HIDDENEXT/Worm.Gen
https://www.gdatasoftware.com	Sep 6, 2022	MSIL.Trojan-Stealer.AgentTesla.XHY925
https://www.ikarus.at		Sep 6, 2022	Trojan.MSIL.Inject
https://www.k7computing.com/...	Sep 6, 2022	Trojan ( 0058f5f91 )
https://www.kaspersky.com	Sep 6, 2022	Found nothing
https://www.sophos.com		Sep 6, 2022	Mal/DrodZp-A
https://www.trendmicro.com	Sep 5, 2022	Found nothing
https://anti-virus.by/en	Sep 5, 2022	CIL.HeapOverride.Heur
8<----------------------------------------------------------------------

8<----------------------------------------------------------------------
MFT_5763190392.DOCS.zip
...//alpha.local.jubileegroup.co.uk/perl/jotti.pl?submit=Jotti+Scan&c4a...
8<----------------------------------------------------------------------
Read 1 parts, length=526972
Summary:
Name:	c4aaad95656e3310c25ea6e9108a937e6b637508e35a6566ce41de0fc8d21c33-526972.txt
Size:	514.62kB (526,972 bytes)
Type:	Zip archive
First seen:	September 6, 2022 at 11:34:26 AM GMT+2
MD5:	019b3d4ca6a68f132d3346bcfe702b9a
SHA1:	30de6997d691192223b562f5e389a97363e98941
Status:	Scan finished. 10/15 scanners reported malware.
Scan taken on:	September 6, 2022 at 11:34:27 AM GMT+2
Results:
https://www.avast.com		Sep 6, 2022	Win32:PWSX-gen
https://www.bitdefender.com	Sep 6, 2022	Trojan.GenericKD.61801737
https://www.clamav.net		Sep 6, 2022	Found nothing
https://www.cyren.com		Sep 6, 2022	W32/MSIL_Troj.CIX.gen!Eldorado
https://www.drweb.com		Sep 6, 2022	Found nothing
https://www.escanav.com		Sep 6, 2022	Trojan.GenericKD.61801737
https://www.fortinet.com	Sep 6, 2022	PossibleThreat
https://www.f-secure.com	Sep 6, 2022	Found nothing
https://www.gdatasoftware.com	Sep 6, 2022	MSIL.Trojan-Stealer.AgentTesla.XHY925
https://www.ikarus.at		Sep 6, 2022	Trojan.MSIL.Inject
https://www.k7computing.com/...	Sep 6, 2022	Trojan ( 0058f5f91 )
https://www.kaspersky.com	Sep 6, 2022	Found nothing
https://www.sophos.com		Sep 6, 2022	Mal/Generic-S
https://www.trendmicro.com	Sep 5, 2022	Found nothing
https://anti-virus.by/en	Sep 5, 2022	CIL.HeapOverride.Heur
8<----------------------------------------------------------------------

We don't accept mail from unknown Digitalocean IPs, and, in any case,
there was no danger to us from the message as we run no Windows boxes.
Since it triggered no fewer than seven Yara rules here, our automated
system has already submitted it to the ClamAV virus team.

It seems to me that just changing the name of the attached archive
file can hide it from at least some scanners.  I'd be very happy to
send the mail or the attachments to anyone who'd like to investigate.

Steve, the automated system didn't report to Sanesecurity because of
the detection of one of the attachments, but if you'd like to see it
separately please let me know.

-- 

73,
Ged.

More information about the clamav-users mailing list