Seems to have a hyperlink inside the PDF that actually leads you to the malicious software. So maybe that's one way it gets past virus detection. It relies on the user to grab a secondary file from the hyperlink. I might set up a VM later and see where the rabbit hole leads. Most likely a keylogger if anything at all.
On Wed, 2022-01-19 at 10:39 -0600, John Lange wrote:
> For what it's worth, I downloaded this file and scanned it with
> Windows Defender and it came back clean. I also uploaded it to a
> (free) 3rd party malware detection site which reported "No security
> vendors and no sandboxes flagged this file as malicious". So it
> appears it is just a normal phishing attack and not a malware attack.
> That being said, since it is so obviously a phish, there is no reason
> to actually open it which puts you at risk of some zero-day attack.
>
> I'm actually amazed the original post didn't get caught in spam
> filters.
If you're referring to the message Eduard sent to the list, it's not
that surprising. These days spam filters mostly rely on sender
reputation and authentication, and the message looking like what it
claims to be structurally; analysis of the text content of the message
is an unreliable indicator, though it can tip the scales when other red
flags are present. Eduard's having forwarded the spammy message (and
then the list doing likewise) destroyed both the original sender
information and the original structure, so it looks like what it is: a
legitimate user sending a legitimate message through a legitimate
mailing list.
According to the header of what I received on my end, both MUUG's MTA
and my own barely found it spammy. It seems they were only suspicious
at all because there was no authentication information (SPF, DKIM,
DMARC, ARC) attributable to Eduard's message.
--
J. King <jking@jkingweb.ca>
_______________________________________________
Roundtable mailing list
Roundtable@muug.ca
https://muug.ca/mailman/listinfo/roundtable