This morning I received an email with an attached Word .doc document that is clearly a phishing attempt. The full text and headers of the message are posted below. I tried to attach the document but this forum won’t accept .doc files.
I did not open the document. I scanned it with Endpoint Protection 8.0.1603, VPS 150617-2, and nothing was detected.
This appears to be an instance of the phishing exploit discussed here:
https://techhelplist.com/index.php/spam-list/845-re-payment-transaction-invoice-malware
However, that site only discusses URL links in the email messages. The message I received did not contain a URL link; it had a .doc attachment called PM2A64.doc.
I tried to find a formal way to report undetected malware to Avast but there doesn’t seem to be one. So I’m posting this here. I will be glad to upload the document if someone can give me a mechanism that will accept it.
** Email Message Begins **
X-x: TimeOut
Return-Path: jane445@mail.hughes.net
Delivered-To: kend@stic-cil.org
Received: from smtp57.gate.ord1a (smtp57.gate.ord1a.rsapps.net [10.130.4.57])
by store113a.mail.ord1a (SMTP Server) with ESMTP id 43B9D388006
for kend@stic-cil.org; Thu, 18 Jun 2015 05:53:44 -0400 (EDT)
Received: from [172.27.146.83] ([172.27.146.83:41419] helo=smtp44.gate.iad3a)
by smtp57.gate.ord1a.rsapps.net (envelope-from jane445@mail.hughes.net)
(ecelerity 2.2.3.49 r(42060/42061)) with ESMTPS (cipher=AES256-SHA)
id AC/21-31579-82592855; Thu, 18 Jun 2015 05:53:44 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-CMAE-Scan-Result: 0
X-CNFS-Analysis: v=2.1 cv=BPqK8jgG c=1 sm=0 tr=0 a=bex/9faoqBKyBq/aWfy6WQ==:117 a=xLcgiyMUInVIHykjz2qf3w==:17 a=jPJDawAOAc8A:10 a=gd8S59aKR-EA:10 a=pOfvU1qiAAAA:8 a=K-v-2zaBAAAA:8 a=KGjhK52YXX0A:10 a=XAFQembCKUMA:10 a=nE-2-McD1wyeLKvM1XUA:9 a=2xh9FXevrTH_pIzd:21 a=zbXdZdqxEG-wEWb3:21 a=QEXdDO2ut3YA:10 a=_W_S_7VecoQA:10 a=Ql9BLmpKDQEA:10 a=X6ib20irYCIA:10 a=N_5PHFRWqQRe0adqXLcA:9 a=diV1Cm6KfS4A:10
X-Orig-To: kend@stic-cil.org
X-Originating-Ip: [69.168.97.48]
Received: from [69.168.97.48] ([69.168.97.48:57209] helo=smtp.hughes.net)
by smtp44.gate.iad3a.rsapps.net (envelope-from jane445@mail.hughes.net)
(ecelerity 2.2.3.49 r(42060/42061)) with ESMTPS (cipher=AES256-SHA)
id A8/2C-20205-72592855; Thu, 18 Jun 2015 05:53:43 -0400
X-Authed-Username: amFuZTQ0NUBodWdoZXMubmV0
X_CMAE_Category: 0,0 Undefined,Undefined
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
Authentication-Results: smtp01.hughes.cmh.synacor.com header.from=jane445@mail.hughes.net; sender-id=neutral
Authentication-Results: smtp01.hughes.cmh.synacor.com smtp.mail=jane445@mail.hughes.net; spf=neutral; sender-id=neutral
Authentication-Results: smtp01.hughes.cmh.synacor.com smtp.user=jane445; auth=pass (LOGIN)
Received-SPF: neutral (smtp01.hughes.cmh.synacor.com: 42.114.73.68 is neither permitted nor denied by domain of mail.hughes.net)
Received: from [42.114.73.68] ([42.114.73.68:53241] helo=Admin-PC)
by smtp.hughes.net (envelope-from jane445@mail.hughes.net)
(ecelerity 2.2.3.49 r(42060/42061)) with ESMTPA
id AA/BC-26404-02592855; Thu, 18 Jun 2015 05:53:42 -0400
From: jane445@mail.hughes.net
Message-ID: AA.BC.26404.02592855@smtp01.hughes.cmh.synacor.com
To: kend@stic-cil.org
Subject: Fw: C4AFM
Date: Thu, 18 Jun 2015 16:53:32 +0700
MIME-Version: 1.0 (produced by Synapse)
X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer
Content-type: Multipart/mixed; boundary=“0019C904_0DE10A8E_Synapse_boundary”
Content-Description: Multipart message
X-Antivirus: avast! (VPS 150617-2, 06/17/2015), Inbound message
X-Antivirus-Status: Clean
Hi. I am Jakeem Hickman. I just received a bank transfer from your company. We need to verify if the payment is processed correctly. This contact was in the transaction reference.
Please review the attached statement and let me know what is the purpose of payment.