Pages

24 Aug 2017

Check files for malware using VirusTotal

Recently I had a fake DHL e-mail and I was interested in the attached Word doc, I wondered what was in it, whether it really was dangerous or not. But I did not want to put myself in any danger, I definitely did not want to open the doc in Word! How could I investigate this file in safety? I saved the e-mail from Outlook as an MSG file. I scanned it using Emisoft's emergency scanner but it didn't find anything. Next I used VirusTotal and that's what I want to talk about in this article today.

VirusTotal is a website. You can upload a suspect file there. It will use many anti-malware software scanners to check for infection. It displays the results and characteristics of the file. It even shows all the different names the different anti-malware companies use for malware.


Example
Here's an example based upon that fake DHL e-mail I received in Outlook.

Open the Outlook e-mail, click File | Save As


Save

You will end up with an MSG file. The MSG file contains the e-mail message text and the attachment (in my case it was a Word doc file - will VirusTotal be clever enough to find the attachment inside the MSG file?).

Browse to https://www.virustotal.com


Click Upload and scan file

Select the MSG file

The results will be displayed...


At the top it shows you how many anti-malware engines it used and how many found something nasty inside the file. In my example above 13 out of 58 found malware in the file.

Click on Details to see more information


The above screen shot shows the Details page with the Basic Properties of the file. You can see that it has identified the Word doc and provides some characteristics. This means that VirusTotal is clever enough to read an MSG and see the embedded attachments it might have inside.

Scroll down and there's more information:


Under the OLE section I found some interesting details. The Code Page is Cyrillic. This e-mail was written in German. Why does it have a Word doc written on a PC set to use Cyrillic? It's not conclusive evidence of anything but it does raise suspicions (if we weren't already very suspicious of course!). The template it is based upon is a dotm, that means there could be macros inside - again this points toward it being a dangerous file as macros can be malware. Of course in the above you can also see that VirusTotal has listed the macros inside the file anyway, for sure this is a dangerous file that I will definitely delete.


Conclusion
VirusTotal is an excellent way to investigate possible virus/malware infected files in safety. The website is free but there are some conditions of use, please read those before using it. One thing they do is use the results from your scan in their database. This is a community approach, where they can build up a picture of threats. The best thing is that it uses so many anti-malware engines to scan for malware. You can see all the different names which could help you analyse the threat at an even deeper level. For IT professionals wishing to understand threats to better protect networks and computers, VirusTotal is an invaluable tool.

For a home user, it's also very helpful. However, I would recommend that you are always extra-cautious when handling any suspect file. Make sure you have anti-malware software installed on your computer, make sure your system updates/patches are up-to-date and the most important of all, make sure you have plenty of backups.





No comments:

Post a Comment