[RndTbl] Fwd: Can a pdf file itself be maleware Fwd: FW: remittance Message Payment Status Notification
Bitters
bittercake2329 at gmail.com
Wed Jan 19 11:55:26 CST 2022
Seems to have a hyperlink inside the PDF that actually leads you to the
malicious software. So maybe that's one way it gets past virus detection.
It relies on the user to grab a secondary file from the hyperlink. I might
set up a VM later and see where the rabbit hole leads. Most likely a
keylogger if anything at all.
On Wed, Jan 19, 2022 at 11:30 AM J. King <jking at jkingweb.ca> wrote:
> On Wed, 2022-01-19 at 10:39 -0600, John Lange wrote:
> > For what it's worth, I downloaded this file and scanned it with
> > Windows Defender and it came back clean. I also uploaded it to a
> > (free) 3rd party malware detection site which reported "No security
> > vendors and no sandboxes flagged this file as malicious". So it
> > appears it is just a normal phishing attack and not a malware attack.
> > That being said, since it is so obviously a phish, there is no reason
> > to actually open it which puts you at risk of some zero-day attack.
> >
> > I'm actually amazed the original post didn't get caught in spam
> > filters.
>
> If you're referring to the message Eduard sent to the list, it's not
> that surprising. These days spam filters mostly rely on sender
> reputation and authentication, and the message looking like what it
> claims to be structurally; analysis of the text content of the message
> is an unreliable indicator, though it can tip the scales when other red
> flags are present. Eduard's having forwarded the spammy message (and
> then the list doing likewise) destroyed both the original sender
> information and the original structure, so it looks like what it is: a
> legitimate user sending a legitimate message through a legitimate
> mailing list.
>
> According to the header of what I received on my end, both MUUG's MTA
> and my own barely found it spammy. It seems they were only suspicious
> at all because there was no authentication information (SPF, DKIM,
> DMARC, ARC) attributable to Eduard's message.
>
> --
> J. King <jking at jkingweb.ca>
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.ca
> https://muug.ca/mailman/listinfo/roundtable
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20220119/79526509/attachment.htm>
More information about the Roundtable
mailing list