A lot of copiers now have the ability to scan documents and email the result as a PDF. I’ve never quite understood why people don’t take the time to change the default subject line. On a Xerox it is something like “Scan from a Xerox WorkCentre” to something a bit more descriptive. Worse yet, I’ve seen people here send directly from the copier to their external person instead of sending the PDF to themselves, formating the email a bit more and then forwarding it on.
We must not be the only one in this habit. The bad guys are using it too. I just saw some virus alerts on our inbound email.
Subject: Scan from a Xerox WorkCentre Pro $3609550
From the Symantec website: “Packed.Generic.306 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from anti-virus software.”
No file name was listed in the virus alert, so I thought this might be a false positive. Since I don’t have access to release quarantined messages to myself, I checked the source IP. The IPs I checked were from Guatemala. Between that and the fake looking source email address, I’d say this is definitely malicious.
Update: Here’s a link to a Barracuda blog post on the subject.