Scanner sent you a document? Beware of malware attack


Here is an email I received this morning, claiming to come from an email address at my domain name: .

Scanner malware

The email is fairly perfunctory with its subject line of "Scan from KM1650", and its body text of "Please find attached your recent scan".

Attached to the file is a Microsoft Word document called =SCAN7318_000.DOC.

Now, this might be slightly plausible if I had a scanner attached to my network which I had configured to email me scans. But I don't.

One assumes the criminals behind the attack are banking that my place of work uses a Kyocera KM-1650 multi-function printer, or that I'm simply so excited about receiving an email from a scanner that I would open the attachment without even thinking.

Of course, if you receive the malware in your email chances are that it won't claim to be from . Instead, it will probably pretend to be instead, where matches the domain and tld of your email address.

There has been a long history of cybercriminals spamming out malware pretending to be from printers and scanners, and there have been a number of recent campaigns suggesting that it's a disguise that continues to dupe the unwary.

WordA quick check on VirusTotal reveals that relatively few anti-virus products are identifying the malware presently, but I can tell you that the Word document contains auto-executing macros that attempt to download further malicious code from the net designed to infect your Windows PC.

Always be suspicious of unsolicited emails, and be wary of opening files which may be attached to them. Acting recklessly with the contents of your inbox could mean your computer ends up compromised and your bank account plundered.

Repeat after me:

"Thou shalt not open dodgy-looking attachments in unsolicited emails"

Tags: , , , ,

Subscribe to the free GCHQ newsletter

, , , ,

Special offers & deals

  • IT Security & White Hat Hacking: CompTIA & Cisco Certifications

    IT Security & White Hat Hacking: CompTIA & Cisco Certifications

    Whether you're a beginner or mid-level professional, you'll want to take this comprehensive online course, to help you attain two industry-recognised certifications. You'll master mobile hacking, VPN technologies, penetration testing, and much more--giving you the knowledge you need to succeed in any IT workplace.
  • PureVPN - 85% off!

    PureVPN - 85% off!

    Make sure your personal data and online activity aren't exposed. Encrypt your internet traffic and cover your tracks with PureVPN. Works with your PCs, Macs, iPhones, Androids, routers, gaming consoles, and Smart TVs. Connect up to 5 devices at once at top speeds.

More deals...

Leave a reply

3 Comments on "Scanner sent you a document? Beware of malware attack"

Notify of

Sort by:   newest | oldest | most voted
Poster Venti
February 11, 2016 11:07 pm

Just a thought that might make this a bit easier to understand (for many people):

'matches the domain and tld of your email address.'

When I first read that the font and my tired head made me read the L as 'I' but then I realised that it is actually 'L' (I suppose that's another reason to write the abbreviation in upper case). I know most won't know what it is and most won't care but you could just explain it away by saying (just to give an example):

'where is your email domain' (because after all people think of as a domain even though it's not that simple). Or another way:

'where is what's after the @ in your email address'

Because let's be honest. Most people owning domains won't understand what top level domain means and even if they do they probably don't understand the (subtle) difference between a zone and a domain (or much of anything in DNS other than it maps from name to IP and IP to name). Besides administrators very few would even care about this as long as it works.

February 11, 2016 11:56 pm

9 hours later – 5 out of 54 products flag it.

Antivirus software usually does not protect you against emailed trojans.

February 12, 2016 3:34 pm

As someone with only a basic knowledge of TLDs etc and the full workings of email my question is how exactly does a spammer make the email appear to come from your email address when it has not been compromised? How do you send an email that looks like it comes from when you have not first hacked and taken control of Are they just altering the 'reply to' address and my basic email program isn't able to/set up to display the full email header which would show the true origin email address?