Thursday, July 26, 2012

Scan from a Hewlett-Packard ScanJet

I received several mails recently that my document was scanned and sent to me.

Subjects may be (there are many variants where the number differs):
Re: Scan from a HP ScanJet #920330420
Fwd: Re: Scan from a Hewlett-Packard ScanJet 02872405

That notification is great, besides for the fact I didn't scan anything:

You received your document !

The text reads:
Attached document was scanned and sent
to you using a Hewlett-Packard I-25625SL.
FILETYPE: .DOC [Word2003 File]

Classical social engineering trick: they let you believe the file is a Word document. If we open the ZIP-archive, we can clearly see it's just an EXE file. Did they forget to change the icon for a Word icon perhaps ?

The filetype is clearly an application, not a Word document

Let's see some more information about this file:

Result: 18/41
MD5: e187763c92e2acc6bb1c804309ebb381
VirusTotal Report
ThreatExpert Report
Anubis Report

The file tries to phone home to - to fetch instructions - which seems to be part of the Feodo botnet. - IPvoid result

In case you're wondering, the mails were sent by the Cutwail spam botnet. Some example IPs: - IPvoid result - IPvoid result


Pretty simple. Never open any emails from unknown senders, and certainly not attachments.