[clamav-users] New kid on the block?

Mon, 01 Aug 2022 04:58:22 -0700 

Hi there,

Our scanner found this at about 09:33 UTC today in incoming mail.  Our
automated system reported it to the ClamAV team, using 'clamsubmit' at
that time.

Apparently this is the first time the threat has been seen by Jotti; I
just thought I'd mention it because firstly it's a Windows threat, and
secondly at the time of writing (although ClamAV is detecting it) it
seems that very few of the other scanners are, which is rather unusual.

It was sent by 143.198.53.9.  This is a DigitalOcean IP in AS14061,
which we blacklist routinely.  The IP is already on at least four of
the dozen or so IP-based DNSBLs that we use.

Summary:
Name:   
5562e86df7accb7ba8acfbd9e82946414116149d02b7b28d5850d4829bb46ef7-11266.txt
Size:   11kB (11,266 bytes)
Type:   Microsoft Word 2007+
First seen:     August 1, 2022 at 11:50:36 AM GMT+2
MD5:    f6c1626fe8f6404971ea949e4bd4d7c6
SHA1:   8a166e8c86b7712fe0d52e3c37260aea755ebc62
Status: Scan finished. 3/15 scanners reported malware.
Scan taken on:  August 1, 2022 at 11:50:38 AM GMT+2
Results:
https://www.avast.com           Aug 1, 2022     Found nothing
https://www.bitdefender.com     Aug 1, 2022     Found nothing
https://www.clamav.net          Jul 28, 2022    
Doc.Downloader.TemplateInjection-6332119-0
https://www.cyren.com           Aug 1, 2022     Found nothing
https://www.drweb.com           Aug 1, 2022     Found nothing
https://www.escanav.com         Aug 1, 2022     Found nothing
https://www.fortinet.com        Aug 1, 2022     Found nothing
https://www.f-secure.com        Aug 1, 2022     Found nothing
https://www.gdatasoftware.com   Aug 1, 2022     Found nothing
https://www.ikarus.at           Aug 1, 2022     Trojan-Downloader.Office.Doc
https://www.k7computing.com/... Aug 1, 2022     Found nothing
https://www.kaspersky.com       Aug 1, 2022     HEUR:Exploit.MSOffice.Generic
https://www.sophos.com          Aug 1, 2022     Found nothing
https://www.trendmicro.com      Jul 28, 2022    Found nothing
https://anti-virus.by/en        Jul 29, 2022    Found nothing

The 'Name' field above is just our SHA256 digest of the offending
piece of the message.  Its a MIME attachment of course, the SHA is
calculated on the base64-encoded body part but we sent the decoded
payload to Jotti for their scans.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Reply via email to