Why Friends Don’t Let Friends Run Windows: Product Pictures? Really?

This email worked its way through the filters:

Dear Business Partner,

We are very much interested in some of your product. We try to contact you online but you are not online so we decided to attach the picture of the product we need to dropbox and put it in your offline. Open the bellow link and download the attachment to preview the product we need:

... dropbox url snippage ... /Product%20Pics.rar

Let me know if the product is still available for sale and how much it costs, also tell us the product details.

Allen Moore,
Procurement Officer,
International Product Buyers

Well, I don’t generally rebuff the humble, but I don’t have any “product” for sale. Also pulling the suspicion trigger:

  • To: Recipients <Procurement@Officer.com>
  • Subject: Open Attachment For Product Picture

It’s not clear what “attach the picture of the product we need to dropbox and put it in your offline” might mean. Despite the Dropbox URL, the email sported an attachment named Product\ Pics.rar, showing they come from a different universe wherein every operating system has a native RAR extraction program.

Being a dutiful citizen of the Interwebs, I did what the nice man asked:

unrar e Product\ Pics.rar

That produced a single file which RAR described thusly:

Extracting Product Picjpg.SCR

At least that’s what it looked like on the command line. I think they were trying to overwrite the SCR with the jpg, as the file name was really Product Pic<U+202E>RCS.gpj, but the Unicode U+20E bidirectional text control character seems to be in the wrong place. I think they wanted Product Pic.SCR<U+202E>gpj, but I also confess to having no experience with sixth-level Unicode direction reversal rendering.

Anyhow, handing the entire RAR archive to VirusTotal produces the expected result:

VirusTotal - Product Pics malware file
VirusTotal – Product Pics malware file

It’s disconcerting to see ClamAV asleep at the switch on this one, but signature detection has become decreasingly relevant these days.

I opted to not respond to the request..