Scam mail: find attachment PO with RAR file

Another scam mail, claming to be an PO (purchase order) from some company.

You should always be caredful when receiving an email from an unknown origin. Especially, when there is an attachment in the email, you should pay attention to.

Our newest member in the series of scam, is a false purchase order mail. The target is clear, make the user curious about the content, that they hopefully will open the attachment and run it.

In our case, we have a RAR file in the email. I am not sure why they use the RAR format and not the ZIP format, because you would need additional software like WinRar or 7zip to extract the file.

In general, it is best to just delete the mail. But we want a closer look and start the Linux virtual machine. We open the RAR file and find an .exe file in the archive, which means it is a Windows executable file. When you run the file on your Windows system, it will get infected with malware.

The check with VirusTotal.com confirms the suspicion. But as you can see only 15 out of 57 anti virus tools currently detect the malware.

So the general advice as always, be careful with file attachments you get via email. Always double check the content, for example with online services like VirusTotal.com, since your locally installed anti virus solution might not detect the malware.

Leave a Reply

Your email address will not be published.