This email worked its way through the filters:
Dear Business Partner,
We are very much interested in some of your product. We try to contact you online but you are not online so we decided to attach the picture of the product we need to dropbox and put it in your offline. Open the bellow link and download the attachment to preview the product we need:
... dropbox url snippage ... /Product%20Pics.rar
Let me know if the product is still available for sale and how much it costs, also tell us the product details.
Regards,
Allen Moore,
Procurement Officer,
International Product Buyers
Well, I don’t generally rebuff the humble, but I don’t have any “product” for sale. Also pulling the suspicion trigger:
- To: Recipients <Procurement@Officer.com>
- Subject: Open Attachment For Product Picture
It’s not clear what “attach the picture of the product we need to dropbox and put it in your offline” might mean. Despite the Dropbox URL, the email sported an attachment named Product\ Pics.rar
, showing they come from a different universe wherein every operating system has a native RAR extraction program.
Being a dutiful citizen of the Interwebs, I did what the nice man asked:
unrar e Product\ Pics.rar
That produced a single file which RAR described thusly:
Extracting Product Picjpg.SCR
At least that’s what it looked like on the command line. I think they were trying to overwrite the SCR
with the jpg
, as the file name was really Product Pic<U+202E>RCS.gpj
, but the Unicode U+20E bidirectional text control character seems to be in the wrong place. I think they wanted Product Pic.SCR<U+202E>gpj
, but I also confess to having no experience with sixth-level Unicode direction reversal rendering.
Anyhow, handing the entire RAR archive to VirusTotal produces the expected result:

It’s disconcerting to see ClamAV asleep at the switch on this one, but signature detection has become decreasingly relevant these days.
I opted to not respond to the request..
Apparently .scr extensions are used for screen savers for windows, which are a common vehicle for viruses. This seems to cause some antivirus software to have a knee-jerk reaction to Eagle script files (which use the same extension). The attempted Unicode trick is a new wrinkle, however.
As if you could depend on the file extension to tell you anything about file’s contents… used to be, they’d pad the extension with a gazillion blanks to push it off to the right, out of the frame, but I suppose Unicode makes that easier.
A few days ago I spotted a URL with non-ASCII characters, replacing the “c” in “.com” with something that rendered as a cursive. That sort of fakery is now the leading edge of scamming. [sigh]
I recently got a spam e-mail of similar persuasion. The Gmail-based e-mail address to which it was sent must be too easy to guess. :P
I thought the content of “PS I”* was especially amusing.
* Spammer people, it’s PS and PPS. Add more Ps as you go along!
Yup, that looks familiar…
I wonder what would happen if you took them up on the “meet you in person” option? They’d surely want cash up front, then vanish into the woodwork!