This week’s email is all about Covid for all suppliers to declare their vaccination status, but the date is almost 1 year old.
After saving the attachments, it provided a case sensitive password (W485) to extract the ISO attachment into file Invoice_10-12_document_9054.iso. To examine the content of the ISO, I used Linux to mount locally the ISO to view and analyze its content.
Mounting the ISO with Linux:
mount -o loop Invoice_10-12_document_9054.iso /mnt
The ISO contains two files that appear interesting, two files are pictures and two are just random text.
The first file of interest to check out is licentiousness.cmd:
The second file of interest is relaxare.dat file with Virustotal and there was no match, then uploaded the file for analysis with the following results which matched a Banking trojan by Proofpoint and Snort.
Guy Bruneau IPSS Inc.
My Handler Page
gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Photo Credit: File:SARS-CoV-2 without background; Date 30 January 2020
Source This message is number 23312 in the Public Health Image Library (PHIL) of the CDC.
Author Alissa Eckert, MS; Dan Higgins, MAM; Permission: (Reusing this file) This image is in the public domain, though not all PHIL images are.