Mailing List Archive

[clamav-users] New kid on the block?
Hi there,

Our scanner found this at about 09:33 UTC today in incoming mail. Our
automated system reported it to the ClamAV team, using 'clamsubmit' at
that time.

Apparently this is the first time the threat has been seen by Jotti; I
just thought I'd mention it because firstly it's a Windows threat, and
secondly at the time of writing (although ClamAV is detecting it) it
seems that very few of the other scanners are, which is rather unusual.

It was sent by 143.198.53.9. This is a DigitalOcean IP in AS14061,
which we blacklist routinely. The IP is already on at least four of
the dozen or so IP-based DNSBLs that we use.

Summary:
Name: 5562e86df7accb7ba8acfbd9e82946414116149d02b7b28d5850d4829bb46ef7-11266.txt
Size: 11kB (11,266 bytes)
Type: Microsoft Word 2007+
First seen: August 1, 2022 at 11:50:36 AM GMT+2
MD5: f6c1626fe8f6404971ea949e4bd4d7c6
SHA1: 8a166e8c86b7712fe0d52e3c37260aea755ebc62
Status: Scan finished. 3/15 scanners reported malware.
Scan taken on: August 1, 2022 at 11:50:38 AM GMT+2
Results:
https://www.avast.com Aug 1, 2022 Found nothing
https://www.bitdefender.com Aug 1, 2022 Found nothing
https://www.clamav.net Jul 28, 2022 Doc.Downloader.TemplateInjection-6332119-0
https://www.cyren.com Aug 1, 2022 Found nothing
https://www.drweb.com Aug 1, 2022 Found nothing
https://www.escanav.com Aug 1, 2022 Found nothing
https://www.fortinet.com Aug 1, 2022 Found nothing
https://www.f-secure.com Aug 1, 2022 Found nothing
https://www.gdatasoftware.com Aug 1, 2022 Found nothing
https://www.ikarus.at Aug 1, 2022 Trojan-Downloader.Office.Doc
https://www.k7computing.com/... Aug 1, 2022 Found nothing
https://www.kaspersky.com Aug 1, 2022 HEUR:Exploit.MSOffice.Generic
https://www.sophos.com Aug 1, 2022 Found nothing
https://www.trendmicro.com Jul 28, 2022 Found nothing
https://anti-virus.by/en Jul 29, 2022 Found nothing

The 'Name' field above is just our SHA256 digest of the offending
piece of the message. Its a MIME attachment of course, the SHA is
calculated on the base64-encoded body part but we sent the decoded
payload to Jotti for their scans.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat