Thursday, July 26, 2012

Scan from a Hewlett-Packard ScanJet

I received several mails recently that my document was scanned and sent to me.

Subjects may be (there are many variants where the number differs):
Re: Scan from a HP ScanJet #920330420
Fwd: Re: Scan from a Hewlett-Packard ScanJet 02872405

That notification is great, besides for the fact I didn't scan anything:


You received your document !

The text reads:
Attached document was scanned and sent
to you using a Hewlett-Packard I-25625SL.
SENT BY : ORPHA
PAGES : 4
FILETYPE: .DOC [Word2003 File]

Classical social engineering trick: they let you believe the file is a Word document. If we open the ZIP-archive, we can clearly see it's just an EXE file. Did they forget to change the icon for a Word icon perhaps ?



The filetype is clearly an application, not a Word document



Let's see some more information about this file:

HP_Scan_N989397452.exe
Result: 18/41
MD5: e187763c92e2acc6bb1c804309ebb381
VirusTotal Report
ThreatExpert Report
Anubis Report


The file tries to phone home to 78.46.64.17 - to fetch instructions - which seems to be part of the Feodo botnet. - IPvoid result

In case you're wondering, the mails were sent by the Cutwail spam botnet. Some example IPs:
190.43.118.189 - IPvoid result
211.221.155.211 - IPvoid result




Conclusion

Pretty simple. Never open any emails from unknown senders, and certainly not attachments.