Can I trust SonicWall's analysis?
Received the following email, with attachment ORDER_1910802.pdf.
Dear customer,
Thank you for choosing us and our products! processing your order.
Please note that your parcel might get in late due to COVID-19 alert. Your order № is WF50G0Y5W
We would like to let you know that your order may include a couple of packages with various conveyance dates.
It will be shipped out within 4 business days via DHL, per your request.
Your charge incorporates the whole cost and shipping costs. We really hope you will stay pleased with our products.
By any chance that you might want to change or drop the order, feel free to contact us through our Customer Service Center at: +1(716)-3094-249.
Respectfully yours, sport nutrition online store MegaBody Nutritions US.
This email has been checked for viruses by avast antivirus software
Clearly this is a scam.
I saved the PDF file and uploaded it to Capture ATP for analysis. The report came back clean.
I am curious to know what the contents of this file are so that I can write an article about this kind of thing and warn my clients. But...
I really need to know if I can trust the C-ATP result.
Any thoughts?
Answers
Hi @Larry,
Could you try to scan the file on https://www.virustotal.com/gui/ to check if the file is reported as Malicious? If so, we can raise concern to the respective team.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Good suggestion. Here's the result:
Of note, however, are the "unreported" entities at the bottom of the list:
Of particular concern is SentinelOne - which is the basis for SonicWall's Capture Client.
Triple-checking now with the folks at Cynet.
@Larry - SonicWall Capture Client uses SentinelOne agent for analysis. Our CATP service uses Sandboxing technology at Cloud for analysis.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
It turns out that the PDF file contained a very nicely formatted invoice - quite unlike the very badly formatted email.
I'm guessing a script kiddie didn't quite create the payload the way it should have been.
All good.
@Larry - Sounds interesting. Glad to know that all good for now. Cheers!!!
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services