Possible virus/malware report

[Serevinus]

Hi,

I just received an email with an attachment that I believe to be a virus or at least malware...

Attachment removed

This file has managed to bypass at least 3 separate antivirus systems (Clam AV, Avast Server, Avast 5 IS), so maybe it is not virus/malware at all.

Subject: Post Express Service. Your package delivered! NR2029
From: Post Express <postmail-pn623@laredo.com>
Attachment: Post_Express_Label_INN19767.zip
Attachment contents: Post Express Label.exe (has an MS Word icon)
Message body (the last paragraph is hidden):
Good afternoon

Your package has been returned to the Post Express office.
The reason of the return is "Incorrect delivery address of the package"

Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office in order to receive the packages.

Thank you for your attention.
Post Express Service.

A deputation of the assembly, apprised of his approach, came to meet him: Sire, said the president of this deputation, the assembly, eager to provide for your safety, offers you and your family an asylum in its bosom.The procession resumed its march, and had some difficulty in crossing the terrace of the Tuileries, which was crowded with an animated mob, breathing forth threats and insults. The king and his family had great difficulty in reaching the hall of the assembly, where they took the seats reserved for the ministers. Gentlemen, said the king, I come here to avoid a great crime; I think I cannot be safer than with you. Sire, replied Vergniaud, who filled the chair, you may rely on the firmness of the national assembly. Its members have sworn to die in maintaining the rights of the people, and the constituted authorities. The king then took his seat next the president. But Chabot reminded him that the assembly could not deliberate in the presence of the king, and Louis XVI.

[Pondus]

Virustotal - 10/43
http://www.virustotal.com/file-scan/report.html?id=b371fc296a629987f9c2b6555a13047fd909c91bc5f3fa47183ea7429f76cd58-1297017907

[DavidR]

@ Serevinus
Please remove the attachment, suspect files shouldn't be posted to the forums. The last thing we want as and when this is detected is for avast to be alerting on its own support forums.

Samples should be sent directly to avast:
Send the sample to avast as a Undetected Malware:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.
Or
Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.

Note the VT results for email.eml are seen under a different MD% and SH1 and had a higher number of detections 17/43 http://www.virustotal.com/file-scan/report.html?id=b279e6f147eafa85a5f42619a78c57c271dfcf8895788491655b3129102075a1-1297020989.

[Pondus]

Note the VT results for email.eml are seen under a different MD% and SH1 and had a higher number of detections 17/43

yepp, i only scanned the code i found inside...

[DavidR]

Seems to make a big difference on the number of detections.

@ Serevinus
Thanks for removing the attachment.

[Serevinus]

No problem,

Have now emailed the report

[DavidR]

OK, as you can see (click my first image to enlarge) I have also submitted it from the avast chest.

[Pondus]

NORMAN analysis

The File "email.eml" is having an attachment in it namely "Post_Express_Label_INN19767.zip" in which the extracted File "Post Express Label.exe" is malicious and detected as "Suspicious_Gen2.HVSIA".