Password protected (777) email attachment

[Zagor 0]

Hello,

my colleague got a password protected attachment from a customer email, she opened it (the content is a .doc file) but nothing happened. Then she sent it to me saying: "I cannot read this zip file", and I opened it too, with same result. Only after I realized that the email was probably a fake one ! 😞

After that I performed a full scan with Eset (Endpoint 5.0), but it didn't find anything. I tried to directly scan the ZIP file, but it is password protected so Eset can't analyze it. How can I check whether I got a malware ? If it might be useful I can upload the suspicious ZIP file.

Thanks and bye.

Edited September 26, 2019 by Zagor
added info

[Zagor 0]

Hi, I have an update: I checked my computer with Nod32 and other 3 antivirus software, but all of them didn't find anything.

Can I reassure myself about my PC being clean ? Is it possible that the suspicius file actually didn't take any action ? I attach the scan of the suspiciuos file performed on the www.virustotal.com web site.

Thanks for any hint/suggestion.

Z.

[Zagor 0]

Hi all, did nobody really face this situation ? Are all of those malware identified by virustotal dangerous or not ? Might there be a hidden ransomware with delayed activation ?

Thanks and bye,

  Z.

[Marcos 5,074]

Since the doc file is not detected only by ESET but also by other AVs, it's unlikely to be clean. However, after scanning the file with ESET the malicious macro should have been sanitized and the file should be no longer detected by us (some other AVs may still detect it though).

[Zagor 0]

Thanks Marcos,

when I opened the doc the first time no popup warning was displayed by Nod32, is it possible that something has been installed at that time ? After having realized this, I performed full scan with Nod32, Spybot s&d, Zemana, Malwarebytes and HitmanPro, but they didn't find anything serious. Can I consider my PC clean or I should perform a deeper analysis (and in case how) ?

Thanks again, Z.

Edited October 17, 2019 by Zagor

[Marcos 5,074]

It's impossible to tell what could have happened when you ran the file. The thing is the payload on servers may change in time, there may be no payload at times, connections to the server may fail, the downloaded payload may be undetected, etc. If running a full disk scan doesn't reveal any threat on the machine, I'd consider it clean.

[Zagor 0]

Hi Marcos, I have an update, I discovered that my case was an attempt of the FTCODE ransomware. Following the description given here I searched for all the features, but I found nothing, neither any file was encrypted, so I think it definitely didn't activate for some reasons. Do you agree ?

Bye, Z.

[Nightowl 202]

Better also to stay away from suspicious files especially Attachments that you don't expect them to come.

[Marcos 5,074]

You initially posted in September but that "FTCODE" ransowmare is relatively new, hence I think it was something different and the downloader was supposed to download a different malware.