Hello Alessandro, Given the SHA256 hashes in those replies, we've confirmed it was the original e-mail and your subsequent reply that were submitted to us, not the DLL files themselves. I'll take a look at both binaries and reply back with the signature names.
Hope this helps! On Thu, Nov 18, 2021 at 1:49 PM Alessandro Vesely via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi all, > > even though I filter incoming messages with ClamAV, last Monday I received > a mail with two suspicious attachments. They were PE32+ executable (DLL) > (GUI) x86-64, for MS Windows. I uploaded the samples to virustotal.com, > who reported they were recognized as troyans. I saved the viral message > and uploaded it to https://www.clamav.net/reports/malware. On Tuesday I > received the following message: > > -------- Forwarded Message -------- > Subject: ClamAV.net - Your malware submission > Date: Tue, 16 Nov 2021 07:23:26 +0000 (UTC) > From: nore...@clamav.com > To: ves...@tana.it > > > > Alessandro Vesely, > > Thank you again for your submission. > > Your File: > purchase-ORD (SHA256: > 2ac2bb49a9135954a298cbb3e52b3ecfcb1e5e2dc6d83fac7052d4c3833ac11a) > > > Our initial assessment shows that this file is possibly clean. If you > provided a description that suggests otherwise, we will further examine the > sample & proceed from there. > > -The ClamAV team > -------- End Of Forwarded Message -------- > > > "If you provided" looked like a future unreal conditional to me. It is > certainly unreal, given the From:. Anyway, I replied something like the > following text: > > > https://www.virustotal.com/gui/file/40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58 > 10 security vendors flagged this file as malicious > 40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58 > Notificaion-30714_20211115.xll > > > https://www.virustotal.com/gui/file/8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21 > 11 security vendors flagged this file as malicious > 8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21 > Document-055293_20211115.xll > > > However, on Wednesday it bounced, because ClamAV's mail server, > tad.clamav.net, is persistently down. I thought that was a temporary > hiccup and pehaps the ClamAV team wasn't even aware of it. So I saved the > bounce, which contained the whole original message, and uploaded it to the > same location, explaining that the attachment was a reply to their message, > not a sample. Guess what I received on Thursday? > > > -------- Forwarded Message -------- > Subject: ClamAV.net - Your malware submission > Date: Thu, 18 Nov 2021 08:52:21 +0000 (UTC) > From: nore...@clamav.com > To: ves...@tana.it > > > > Alessandro Vesely, > > Thank you again for your submission. > > Your File: > reply-to-Clamav-Team (SHA256: > e9876ec9577e7c1b4a38236a6d18306e57e618a46d4bcfd1837cfd7e9238c281) > > > Our initial assessment shows that this file is possibly clean. If you > provided a description that suggests otherwise, we will further examine the > sample & proceed from there. > > -The ClamAV team > -------- End Of Forwarded Message -------- > > > What's the purpose of such messages? > > > Meanwhile, tad.clamav.net is still down. > > Best > Ale > -- > > > > > > > > > > > > > > > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Christopher Marczewski Research Engineer, Talos Cisco Systems 443-832-2975
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
