We're getting slammed with these now.  All of the files have
uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password";> in
them.   Can we block based on content of a file??

I'm guessing this is a new Locky, but now encrypted to scanners don't catch

On Tue, Oct 18, 2016 at 10:27 AM, K Post <nntp.p...@gmail.com> wrote:

> I've seen a bunch of supposedly encrypted RTF files slip through today.
> The message body is typical spam, telling the user to open the important
> file, but message also tells the user the password for the file.  I think
> these are created using Office's password protection feature and either
> renamed as RTF or saved as such (I didn't think you could do that)
> Any chance that AFC can block these?
> I didn't dare open a sample in Word, but I did inspect the file and see
> this block towards the bottom:
> <dataIntegrity encryptedHmacKey="fgNjkbaoZe/R57CgZGuXNbVgkS3W+
> hN9AIn8Bfxo6qMRtjYe1YaOVCuJPrvlv09jssa4FPC9ibrjP3TcVaUhpg=="
> encryptedHmacValue="KS8iQw1IXtV29p1ZMEMhndzwFlUlnJ
> 2dBKXJJHAS6OTssbkEGDzX7AMxUQwF4iehdDUWexzwfweMJ/vs8uPqZA=="/><keyEncryptors><keyEncryptor
> uri="*http://schemas.microsoft.com/office/2006/
> <http://schemas.microsoft.com/office/2006/>*keyEncryptor/password"><p:encryptedKey
> spinCount="100000" saltSize="16" blockSize="16" keyBits="256" hashSize="64"
> cipherAlgorithm="AES" cipherChaining="ChainingModeCBC"
> hashAlgorithm="SHA512" saltValue="1bTPB9+6jWsKar2JVCGrzQ=="
> encryptedVerifierHashInput="iY92nwFxE0RqpxsqOTDjsQ=="
> encryptedVerifierHashValue="VNnSx7QjFX7l8p+AlGK9mtNS0kWr72+
> s1qVz4IxPIphhAxyntu6QK8tQR+y7ACnZZtCg+rrKv663ZWtA4fp6iA=="
> encryptedKeyValue="cogHjHRCuBxn2wDeVN7z2jbiCX+XknXtEH8ZmjCaG90="/></
> keyEncryptor></keyEncryptors></encryption>
> VirusTotal has zero hits on the samples that I submitted, but if they're
> encrypted, that explains why...
> I just want to block ANY incoming encrypted document, including Office
> documents.
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Assp-test mailing list

Reply via email to