[RndTbl] Fwd: Can a pdf file itself be maleware Fwd: FW: remittance Message Payment Status Notification

Bitters bittercake2329 at gmail.com
Wed Jan 19 12:02:35 CST 2022


Checked out the link. It's one of the worst fake logins I have ever seen.
[image: image.png]


On Wed, Jan 19, 2022 at 11:55 AM Bitters <bittercake2329 at gmail.com> wrote:

> Seems to have a hyperlink inside the PDF that actually leads you to the
> malicious software. So maybe that's one way it gets past virus detection.
> It relies on the user to grab a secondary file from the hyperlink. I might
> set up a VM later and see where the rabbit hole leads. Most likely a
> keylogger if anything at all.
>
> On Wed, Jan 19, 2022 at 11:30 AM J. King <jking at jkingweb.ca> wrote:
>
>> On Wed, 2022-01-19 at 10:39 -0600, John Lange wrote:
>> > For what it's worth, I downloaded this file and scanned it with
>> > Windows Defender and it came back clean. I also uploaded it to a
>> > (free) 3rd party malware detection site which reported "No security
>> > vendors and no sandboxes flagged this file as malicious". So it
>> > appears it is just a normal phishing attack and not a malware attack.
>> > That being said, since it is so obviously a phish, there is no reason
>> > to actually open it which puts you at risk of some zero-day attack.
>> >
>> > I'm actually amazed the original post didn't get caught in spam
>> > filters.
>>
>> If you're referring to the message Eduard sent to the list, it's not
>> that surprising. These days spam filters mostly rely on sender
>> reputation and authentication, and the message looking like what it
>> claims to be structurally; analysis of the text content of the message
>> is an unreliable indicator, though it can tip the scales when other red
>> flags are present. Eduard's having forwarded the spammy message (and
>> then the list doing likewise) destroyed both the original sender
>> information and the original structure, so it looks like what it is: a
>> legitimate user sending a legitimate message through a legitimate
>> mailing list.
>>
>> According to the header of what I received on my end, both MUUG's MTA
>> and my own barely found it spammy. It seems they were only suspicious
>> at all because there was no authentication information (SPF, DKIM,
>> DMARC, ARC) attributable to Eduard's message.
>>
>> --
>> J. King <jking at jkingweb.ca>
>> _______________________________________________
>> Roundtable mailing list
>> Roundtable at muug.ca
>> https://muug.ca/mailman/listinfo/roundtable
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20220119/8affed92/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 218537 bytes
Desc: not available
URL: <http://muug.ca/pipermail/roundtable/attachments/20220119/8affed92/attachment-0001.png>


More information about the Roundtable mailing list