Chas4 11 Posted September 27, 2023 Posted September 27, 2023 I forwarded the email with it to ESET at the end of July so ESET should have it Norton-pdf-invoice-0526642.pdf MD5 68f06e5ce4f9c821e05193331f98237e SHA-1 b65e2c39b070111f6a67b85cd9e62643fdbb9c5a SHA-256 cf04b7f85952861ed00e5141c3595d48992f5b5f38bb11abfd33e67747064a2c https://www.virustotal.com/gui/file/cf04b7f85952861ed00e5141c3595d48992f5b5f38bb11abfd33e67747064a2c/detection The same scammer is using that actively and other PDFs for phishing and maybe malware also
Administrators Marcos 5,466 Posted September 27, 2023 Administrators Posted September 27, 2023 It may be scam, however, there's no hyperlink nor instructions to pay for the service. The only suspicious and possibly scam thing about it is the phone number ("If you need to halt the transaction or modify it, please reach out to our client support team at ..."). No vendor detects it and probably we won't detect it either.
Chas4 11 Posted September 27, 2023 Author Posted September 27, 2023 11 minutes ago, Marcos said: It may be scam, however, there's no hyperlink nor instructions to pay for the service. The only suspicious and possibly scam thing about it is the phone number ("If you need to halt the transaction or modify it, please reach out to our client support team at ..."). No vendor detects it and probably we won't detect it either. False the url is in the PDF which they may have put other malware into, and is part of an active phishing attack
Administrators Marcos 5,466 Posted September 27, 2023 Administrators Posted September 27, 2023 Where in the pdf is a clickable hyperlink?
Chas4 11 Posted September 27, 2023 Author Posted September 27, 2023 Last I knew it was in there (I noticed many scammers don't always make it into a hyperlink). Are phishing PDFs not blocked, which is different from the ones I have reported in the past and ESET is blocking?
Administrators Marcos 5,466 Posted September 27, 2023 Administrators Posted September 27, 2023 Unfortunately I don't know what PDFs you sent in the past and a detection was added.
Chas4 11 Posted September 27, 2023 Author Posted September 27, 2023 From: unique plan key -6188776 <matinezmaletze4al@gmail.com> (maybe spoofed) Date: Wednesday, July 26, 2023 at 1:55 PM To: target email Subject: Order Detail-052664885/pdf summary -INVOICE. target email The transaction has been finalized and your services have been successfully enhanced. Your Norton services has been successfully upgraded. We have forwarded an improved version of the PDF receipt to your email. The text refers to an attached PDF file. For immediate assistance, get in touch with the Helpdesk by dialing +1 815 564 2372 We highly appreciate your decision. I sent that to ESET on July 26, 2023
Administrators Marcos 5,466 Posted September 27, 2023 Administrators Posted September 27, 2023 I see only one ticket with subj. "Fw: Your payment dqmiownhi" sent from your forum email address on January 22, 2023.
Chas4 11 Posted September 27, 2023 Author Posted September 27, 2023 27 minutes ago, Marcos said: I see only one ticket with subj. "Fw: Your payment dqmiownhi" sent from your forum email address on January 22, 2023. The forum one rarely gets spam, I fwd from a different account which was added to a spammers list from a leak at MLB that they never acknowledged over 10 years ago.
Administrators Marcos 5,466 Posted September 27, 2023 Administrators Posted September 27, 2023 It is the very same PDF that you sent on July 26.
itman 1,807 Posted September 27, 2023 Posted September 27, 2023 (edited) 2 hours ago, Marcos said: Where in the pdf is a clickable hyperlink? Another important detail is no data exists on where to make the payment to. This leads me to believe the e-mail itself contained this info along with possibly a malicious link. I assume the .pdf was an attachment to the e-mail. Bottom line - there is nothing malicious about the .pdf per se other than to support the attempted scam attempt. -EDIT- Duh ..... Just realized the .pdf was a receipt. So the whole purpose was to get the e-mail recipient to open the .pdf. Was the attachment a .pdf or something else? I suspect the later. Let's say the attachment was an archive. When Eset scanned it, it removed any malware leaving the benign .pdf file. Edited September 27, 2023 by itman
Recommended Posts