MSGID: 2:221/360.0 5e8393a8
PID: JamNNTPd/OS2 1.3 20191227
TID: GE/2 1.2
CHRS: UTF-8 2
TZUTC: 0300
Received another suspicious email with a "Resumé" attachment just now.

No password version.

I renamed the file:

XXXXJohn Smith Resume.xls

Send it to VirusTotal.  Only ONE engine of many detected this thing.


 TACHYON == Trojan/XF.Downloader.Gen


I looked inside the file and noticed a few clues in the clear (but I obscured a
few things here with #### so no one inadvertently clicks on a link):

 C:\XTHbSJX\hQPDpQm\yNuMyDc.dl

 http://march262020.####/files/bot.dll

 URLDownloadToFileA

 http://march262020.####/files/bot.dll

 rundll32.exe,DllRegisterServer

 http://march262020.####/files

 CreateDirectory

 ShellExecute

 /bot.dll

 Excel 4.0 Macros


Very telling!  Seems to me, that the simplest infection mechanism can still
find
an unsuspecting victim.

The domain reference above pointed to:

 Source:  whois.apnic.net (APNIC serves the Asia Pacific region)
 IP Address:  170.106.11.8

But it arrived via Germany:

 X-EN-OrigIP: 194.25.134.80  <== via RIPE
 Received: from fwd17.aul.t-online.de (fwd17.aul.t-online.de [172.20.27.64])
 Received: from t-online.de ([64.145.94.242]) by fwd17.t-online.de

Sneaky buggers, eh?

--- TB68.4.1/Win7
 * Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)
SEEN-BY: 1/123 90/1 103/705 154/10 203/0 221/0 1 6 360 226/30 227/114
SEEN-BY: 229/101 426 452 1014 240/5832 249/206 317 400 280/464 5003
SEEN-BY: 288/100 292/854 310/31 317/3 322/757 342/200 396/45 423/81
SEEN-BY: 423/120 712/848 770/1 2452/250
PATH: 221/360 1 280/464 229/426