You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2018/08/07 18:09:48 UTC
Phish with xps attachment
Hi,
Anyone have ideas for viewing inside of an XPS file or otherwise
blocking phish attempts with xps attachments?
https://pastebin.com/KtMnNPAg
Still not detected by virus scanners and passing through Mimecast.
https://www.virustotal.com/#/file/d856d182a1b358f2ef09dc0f2253b55c2203de19bb56531e8af95394db229c9a/detection
Re: Phish with xps attachment
Posted by Pedro David Marco <pe...@yahoo.com>.
XPS is a ZIP compressed document format. I may be wrong buuuuuuuuut.... Is any serious software/company using .XPS for invoices? to me, PDF is the facto standard for invoices...
maybe you can score the mix of .XPS + "due invoice" text
-----PedroD
>On Tuesday, August 7, 2018, 8:10:08 PM GMT+2, Alex <my...@gmail.com> wrote: >Hi,>Anyone have ideas for viewing inside of an XPS file or otherwise
>blocking phish attempts with xps attachments?
>https://pastebin.com/KtMnNPAg>Still not detected by virus scanners and passing through Mimecast.>https://www.virustotal.com/#/file/d856d182a1b358f2ef09dc0f2253b55c2203de19bb56531e8af95394db229c9a/detection
Re: Phish with xps attachment
Posted by Axb <ax...@gmail.com>.
On 08/07/2018 08:09 PM, Alex wrote:
> Hi,
> Anyone have ideas for viewing inside of an XPS file or otherwise
> blocking phish attempts with xps attachments?
>
> https://pastebin.com/KtMnNPAg
>
> Still not detected by virus scanners and passing through Mimecast.
>
> https://www.virustotal.com/#/file/d856d182a1b358f2ef09dc0f2253b55c2203de19bb56531e8af95394db229c9a/detection
>
The SA list seems like a bad replacement for a google search...
What is an XPS file format?
An XPS file is a document that contains fixed page layout information
written in the XPS page description language. It defines the layout,
appearance, and printing information for a document. XPS files are
similar to .PDF files, but saved in Microsoft's proprietary XPS format.
XPS file open in Microsoft XPS Viewer.
Report to Mimecast
Re: Phish with xps attachment
Posted by Martin Gregorie <ma...@gregorie.org>.
On Tue, 2018-08-07 at 17:28 -0400, Bill Cole wrote:
> Maybe check how you did that. Using the mimeexplode tool from the
> Perl MIME-Tools package:
>
> # mimeexplode /tmp/xpsspam
> Message: msg0 (/tmp/xpsspam)
> Part: msg0/msg-53100-1.txt (text/plain)
> Part: msg0/msg-53100-2.html (text/html)
> Part: msg0/Remittance Copy.xps (application/octet-stream)
> # ls -lAR msg0/
> total 720
> -rw-r--r-- 1 root wheel 354446 Aug 7 16:49 Remittance Copy.xps
> -rw-r--r-- 1 root wheel 336 Aug 7 16:49 msg-53100-1.txt
> -rw-r--r-- 1 root wheel 4629 Aug 7 16:49 msg-53100-2.html
> # file msg0/Remittance\ Copy.xps
> msg0/Remittance Copy.xps: Zip archive data, at least v2.0 to extract
>
Yep, that all works, and 'unzip -t msg0/Remittance\ Copy.xps' did too.
Thanks for the pointer to mimeexplode - I hadn't run across that
before. Its a useful tool.
I didn't think to use 'file' - and should have, just did what I've done
in the past, manually unpacked by using a text editor to discard
everything before and after the body of that message part and expected
'base64' to process it into something I could inspect. That's worked
for me in the past, but in this case I notice that the .xps file has
CRLF line separators, which probably got converted to LF by my text
editor - shouldda used vi, which doesn't do that.
Martin
Re: Phish with xps attachment
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 7 Aug 2018, at 15:31 (-0400), Martin Gregorie wrote:
> On Tue, 2018-08-07 at 14:09 -0400, Alex wrote:
>
>> Anyone have ideas for viewing inside of an XPS file or otherwise
>> blocking phish attempts with xps attachments?
>>
>> https://pastebin.com/KtMnNPAg
>>
> I don't think this is validly base64 encoded. I chopped it down to
> just
> the supposed base64 text and fed it through the Linux base64 decode
> utility, which gave up and said it isn't valid base 64 after decoding
> about 150 characters.
Maybe check how you did that. Using the mimeexplode tool from the Perl
MIME-Tools package:
# mimeexplode /tmp/xpsspam
Message: msg0 (/tmp/xpsspam)
Part: msg0/msg-53100-1.txt (text/plain)
Part: msg0/msg-53100-2.html (text/html)
Part: msg0/Remittance Copy.xps (application/octet-stream)
# ls -lAR msg0/
total 720
-rw-r--r-- 1 root wheel 354446 Aug 7 16:49 Remittance Copy.xps
-rw-r--r-- 1 root wheel 336 Aug 7 16:49 msg-53100-1.txt
-rw-r--r-- 1 root wheel 4629 Aug 7 16:49 msg-53100-2.html
# file msg0/Remittance\ Copy.xps
msg0/Remittance Copy.xps: Zip archive data, at least v2.0 to extract
# zipinfo msg0/Remittance\ Copy.xps
Archive: msg0/Remittance Copy.xps 354446 bytes 18 files
-rw---- 4.5 fat 1063 b- defS 1-Jan-80 00:00 [Content_Types].xml
-rw---- 4.5 fat 567 b- defS 1-Jan-80 00:00 _rels/.rels
-rw---- 4.5 fat 3566 b- stor 1-Jan-80 00:00
docProps/thumbnail.jpeg
-rw---- 4.5 fat 564 b- defS 1-Jan-80 00:00 docProps/core.xml
-rw---- 4.5 fat 287 b- defS 1-Jan-80 00:00
Documents/1/_rels/FixedDoc.fdoc.rels
-rw---- 4.5 fat 320 b- defS 1-Jan-80 00:00 FixedDocSeq.fdseq
-rw---- 4.5 fat 55552 b- defN 1-Jan-80 00:00
Resources/31AB0740-4E67-23ED-1861-906DB2445D30.odttf
-rw---- 4.5 fat 61580 b- defN 1-Jan-80 00:00
Resources/36F32615-19BB-2EEA-BD7D-5051E214FE53.odttf
-rw---- 4.5 fat 266980 b- defN 1-Jan-80 00:00
Resources/128F6B1F-5739-13F9-6E4A-207A4466DE12.odttf
-rw---- 4.5 fat 1346 b- defS 1-Jan-80 00:00
Documents/1/Pages/_rels/1.fpage.rels
-rw---- 4.5 fat 282 b- defS 1-Jan-80 00:00
Documents/1/FixedDoc.fdoc
-rw---- 4.5 fat 4990 b- defN 1-Jan-80 00:00
Documents/1/Structure/Fragments/1.frag
-rw---- 4.5 fat 50574 b- defN 1-Jan-80 00:00
Documents/1/Pages/1.fpage
-rw---- 4.5 fat 7042 b- stor 1-Jan-80 00:00
Resources/Images/image_0.png
-rw---- 4.5 fat 290 b- stor 1-Jan-80 00:00
Resources/Images/image_1.png
-rw---- 4.5 fat 481 b- stor 1-Jan-80 00:00
Resources/Images/image_2.png
-rw---- 4.5 fat 386 b- defN 1-Jan-80 00:00
Documents/1/Structure/DocStructure.struct
-rw---- 4.5 fat 527552 b- defN 1-Jan-80 00:00
Resources/01EC0564-4D18-6AF6-270E-667DA377AC79.odttf
18 files, 983422 bytes uncompressed, 350592 bytes compressed: 64.3%
The payload is not in that XPS document, which is just a picture that
claims to be an Office365 document with a big "Open File" button. That
region is linked to a URL (MUNGED: hxxps://ssllink(dot)me/1sta) which at
present redirects to a Brazilian domain which yields a 500 reply with a
"bandwidth exceeded" message. Presumably the payload used to be there...
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole
Re: Phish with xps attachment
Posted by RW <rw...@googlemail.com>.
On Tue, 07 Aug 2018 20:31:25 +0100
Martin Gregorie wrote:
> On Tue, 2018-08-07 at 14:09 -0400, Alex wrote:
>
> > Anyone have ideas for viewing inside of an XPS file or otherwise
> > blocking phish attempts with xps attachments?
> >
> > https://pastebin.com/KtMnNPAg
> >
> I don't think this is validly base64 encoded. I chopped it down to
> just the supposed base64 text and fed it through the Linux base64
> decode utility, which gave up and said it isn't valid base 64 after
> decoding about 150 characters.
It worked for me.
Re: Phish with xps attachment
Posted by Martin Gregorie <ma...@gregorie.org>.
On Tue, 2018-08-07 at 14:09 -0400, Alex wrote:
> Anyone have ideas for viewing inside of an XPS file or otherwise
> blocking phish attempts with xps attachments?
>
> https://pastebin.com/KtMnNPAg
>
I don't think this is validly base64 encoded. I chopped it down to just
the supposed base64 text and fed it through the Linux base64 decode
utility, which gave up and said it isn't valid base 64 after decoding
about 150 characters.
So, I don't know what it is except that the first 4 characters look
similar what I sort of remember the prefix of a DOS/Windows binary
looked like.
Martin