RNP002673A5A8F3 and other suspect emails

Home / Services / Maintenance - Unplanned / RNP002673A5A8F3 and other suspect emails

Today four emails were received by four different email accounts with the subject “RNP002673A5A8F3” and sender “network.scanner@senderDomain.com.au”#. This was not normal and something was obviously phishy about it, so I thought I would investigate further.

[Since writing the original post, a similar email has been spreading from “DocuCentre-V C6675 T2” with the subject of “Scan Data from FX-D6DBE1”]

To check the file, I used two tools that you might find handy to use. Message Options## in Outlook, and the Google subsidiary VirusTotal## website.

Step 1: Check message options

Showing Message Options can help you find, among other things, information about

  1. servers that the email passed through, as well as
  2. the type of content that the email carries.

The Message Options on the suspect email mostly looked fine except that I was not expecting any emails from a network scan account and the original email computer was labelled ‘unknown’.

Return-Path: <network.scanner@senderDomain.com.au>

Received: from [125.99.6.48] (unknown [125.99.6.48])
by myMailHost ([myDomainHost Mail System]) with ESMTP id C9D5416481E5
for <myemail@myDomain.com.au>; Wed, 21 Oct 2015 19:25:09 -0400 (EDT)

Checking the Message Options of the other emails that were received at the same time showed that they were also sent from an ‘unknown’ host, but what was unusual was that the host addresses were different for each.

Received: from [181.39.212.96] (unknown [181.39.212.96])

Received: from host-181-199-77-199.senderDomain.net.ec (unknown [181.199.77.199])

Normally senders use one email server to send their emails because it saves them setting up new accounts for each server and they do not intend to abuse the service. However, because some might intend to use their email server for illegal or harmful purposes e.g. for phishing, a hoax, or spreading viruses, they tend to use different hosts to make tracing who they are harder.

As a result, some might delete emails like these, from different hosts, straightaway. But because a valid scan report could come from different computers that they scanned, I decided to investigate further.

Step 2: Save attachments and check with VirusTotal

VirusTotal is a tool to help 1) check for viruses, worms, trojans and other kinds of malicious content and 2) detect false positives. So how do you get VirusTotal to check files in your email?

Save the file in a folder:

In Outlook 2013 select the email in your Outlook message list.

    • Click the tab labelled File on the Outlook top menu.
Outlook File Menu
Outlook File Menu
    • Click Save Attachments
Save Attachments LHS menu
Save Attachments LHS menu
    • Save the attachments by clicking OK and on the ‘Save As’ screen save the file to a folder, such as desktop.
Save All Attachments
Save All Attachments

Then upload the file to VirusTotal:

Go to the VirusTotal website at https://www.virustotal.com/en/

Click choose file and on the browse file screen select the file from the desktop. Then click the ‘Scan It!’ button.

VirusTotal
VirusTotal

A message will indicate the file is uploading and depending on whether your scan was the first or not, you will have the option to check out the previous scan or analyse your file (in case it is different).

File analysed
File analysed

When the results screen appears look at the information provided to find out more. For example, the number of times the file was scanned, information via the file-related menu, feedback from virus scanners and the voting image (highlighted by black boxes below).

VirusTotal Results
VirusTotal Results

Reading this information should help determine how trustworthy the file is and for the RNP002673A5A8F3 email, that triggered the writing of this blog, you might come to the same conclusion as me. That the email and the saved file that was loaded in to VirusTotal should be deleted.

Notes:
# Domain and host names have been changed to fictitious names at the time of writing.
## All trademarks and IPs are owned by their respective owners.

One Comment

  • Michael in Perth

    Same here, we started getting these about 32 hours ago, first with the network-scanner address, looking for all the world like the emails our Ricoh MFDs would generate when you scan a document into PDF format. This morning the source address changed to DOCUCENTRE with the actual email address as “reception@mydomainname”. Initially the attacks were against older domain names we have in use, but this morning, we got the first ones to our new domain name.
    Thankfully I have my users well trained, and none of them opened this when they didn’t scan something in. The target addresses are somewhat randomly generated, but users with common names in their email address may be hit more likely than ones with less common email addresses. Doesn’t seem to be using compromised address books in the initial attack.
    In my analysis, I have seen the source IP addresses for the emails to come from either the Philippines or Mongolian IP address spaces only so far.
    So far 17/55 Virustotal scanning engines are able to identify the infection in the Word document. I submitted a sample to my AV vendor, but they won’t target the Word document as “it’s only a macro” and they say they ARE capturing the flagf2.exe file it tries to download. Doesn’t make me very confident if they start targetting other files to download. Wish they’d just mark the files as dangerous in the first place. 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *