This email worked its way through the filters:
Dear Business Partner,
We are very much interested in some of your product. We try to contact you online but you are not online so we decided to attach the picture of the product we need to dropbox and put it in your offline. Open the bellow link and download the attachment to preview the product we need:
... dropbox url snippage ... /Product%20Pics.rar
Let me know if the product is still available for sale and how much it costs, also tell us the product details.
International Product Buyers
Well, I don’t generally rebuff the humble, but I don’t have any “product” for sale. Also pulling the suspicion trigger:
- To: Recipients <Procurement@Officer.com>
- Subject: Open Attachment For Product Picture
It’s not clear what “attach the picture of the product we need to dropbox and put it in your offline” might mean. Despite the Dropbox URL, the email sported an attachment named
Product\ Pics.rar, showing they come from a different universe wherein every operating system has a native RAR extraction program.
Being a dutiful citizen of the Interwebs, I did what the nice man asked:
unrar e Product\ Pics.rar
That produced a single file which RAR described thusly:
Extracting Product Picjpg.SCR
At least that’s what it looked like on the command line. I think they were trying to overwrite the
SCR with the
jpg, as the file name was really
Product Pic<U+202E>RCS.gpj, but the Unicode U+20E bidirectional text control character seems to be in the wrong place. I think they wanted
Product Pic.SCR<U+202E>gpj, but I also confess to having no experience with sixth-level Unicode direction reversal rendering.
Anyhow, handing the entire RAR archive to VirusTotal produces the expected result:
It’s disconcerting to see ClamAV asleep at the switch on this one, but signature detection has become decreasingly relevant these days.
I opted to not respond to the request..