Hope this helps!Hello Alessandro,Given the SHA256 hashes in those replies, we've confirmed it was the original e-mail and your subsequent reply that were submitted to us, not the DLL files themselves. I'll take a look at both binaries and reply back with the signature names.On Thu, Nov 18, 2021 at 1:49 PM Alessandro Vesely via clamav-users <clamav-users@lists.clamav.net> wrote:Hi all,
even though I filter incoming messages with ClamAV, last Monday I received a mail with two suspicious attachments. They were PE32+ executable (DLL) (GUI) x86-64, for MS Windows. I uploaded the samples to virustotal.com, who reported they were recognized as troyans. I saved the viral message and uploaded it to https://www.clamav.net/reports/malware. On Tuesday I received the following message:
-------- Forwarded Message --------
Subject: ClamAV.net - Your malware submission
Date: Tue, 16 Nov 2021 07:23:26 +0000 (UTC)
From: noreply@clamav.com
To: vesely@tana.it
Alessandro Vesely,
Thank you again for your submission.
Your File:
purchase-ORD (SHA256: 2ac2bb49a9135954a298cbb3e52b3ecfcb1e5e2dc6d83fac7052d4c3833ac11a)
Our initial assessment shows that this file is possibly clean. If you provided a description that suggests otherwise, we will further examine the sample & proceed from there.
-The ClamAV team
-------- End Of Forwarded Message --------
"If you provided" looked like a future unreal conditional to me. It is certainly unreal, given the From:. Anyway, I replied something like the following text:
https://www.virustotal.com/gui/file/40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58
10 security vendors flagged this file as malicious
40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58
Notificaion-30714_20211115.xll
https://www.virustotal.com/gui/file/8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21
11 security vendors flagged this file as malicious
8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21
Document-055293_20211115.xll
However, on Wednesday it bounced, because ClamAV's mail server, tad.clamav.net, is persistently down. I thought that was a temporary hiccup and pehaps the ClamAV team wasn't even aware of it. So I saved the bounce, which contained the whole original message, and uploaded it to the same location, explaining that the attachment was a reply to their message, not a sample. Guess what I received on Thursday?
-------- Forwarded Message --------
Subject: ClamAV.net - Your malware submission
Date: Thu, 18 Nov 2021 08:52:21 +0000 (UTC)
From: noreply@clamav.com
To: vesely@tana.it
Alessandro Vesely,
Thank you again for your submission.
Your File:
reply-to-Clamav-Team (SHA256: e9876ec9577e7c1b4a38236a6d18306e57e618a46d4bcfd1837cfd7e9238c281)
Our initial assessment shows that this file is possibly clean. If you provided a description that suggests otherwise, we will further examine the sample & proceed from there.
-The ClamAV team
-------- End Of Forwarded Message --------
What's the purpose of such messages?
Meanwhile, tad.clamav.net is still down.
Best
Ale
--
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--Christopher MarczewskiResearch Engineer, TalosCisco Systems443-832-2975