G+_Jason Perry Posted September 10, 2018 Share Posted September 10, 2018 So I was emailed this "invoice" from a company I do business with. Being the paranoid person I am before I am I checked the email address to see if it matches the one I have on file for them. It checks out. I open the invoice expecting it to be something to do with the new copier we got from them. The picture below is what I see. Stupid me I clicked the button. Nothing happened. I email the person back and recieved a reply from her boss, this was not from us. Hmmm... I reply, the email address is yours are you sure. Response, "we audited our servers it is not from us. My next move is run the file through VirusTotal. It says it is clean, file type open office XML. I know there are smart people here, how do I find out more about this file? Link to comment Share on other sites More sharing options...
G+_Black Merc Posted September 10, 2018 Share Posted September 10, 2018 Can you read the entire email(headers and all) in plan text? May reveal 'true' source. Link to comment Share on other sites More sharing options...
G+_Ben Reese Posted September 10, 2018 Share Posted September 10, 2018 Opening it on your phone (like it appears you did) is probably safer than opening it on Windows. If it's a DOCX file, you can probably rename it to .zip and extract the content in plaintext. I think there is a plain text XML format that will work with Word, so maybe try opening in Notepad++? I agree with Black Merc though. See if you can you can view and examine the full header. Link to comment Share on other sites More sharing options...
G+_Paul Hutchinson Posted September 10, 2018 Share Posted September 10, 2018 Black Merc's suggestion is definitely step one. You can download it to a PC and run scans with other AV & Malware software. With it downloaded you could also open the Office Open XML file in 7-zip (the format is actually a compressed archive), extract out the contents, and examine them in a programmers text editor. Link to comment Share on other sites More sharing options...
G+_Scott Snodgrass Posted September 11, 2018 Share Posted September 11, 2018 There's ransomware going around disguised as invoices. If you are not expecting the invoice, then remove the email. Link to comment Share on other sites More sharing options...
G+_Black Merc Posted September 11, 2018 Share Posted September 11, 2018 Scott Snodgrass that's why one must investigate... The majority of the mail clients have too many 'automagic' features that tend to help the hostile parties. To defeat that, viewing the email in it's raw form will limit that threat. Mho Link to comment Share on other sites More sharing options...
G+_Jason Perry Posted September 13, 2018 Author Share Posted September 13, 2018 Scott Snodgrass do you have links to more details on the ransomware. I want to see if the mo matches mine. Link to comment Share on other sites More sharing options...
G+_Scott Snodgrass Posted September 14, 2018 Share Posted September 14, 2018 It doesn't seem to be the same, but PyLocky is the name. This appears to be a different kind of macro virus. The only place I could find it is here: thayer2design.com - Virus: This document created in online version of Microsoft Office Word Link to comment Share on other sites More sharing options...
Recommended Posts