Here is a link to the offending file. DO NOT ACTUALLY OPEN THE FILE DUH. https://drive.google.com/file/d/0B3H7HjnNAg5QSHdfZS1Sb2VYUzQ/view?usp=sharing
We have be getting inundated with files like this for months now that drop a payload and Sophos never catches it. We are told by Sophos to submit the files so its signature can be added and we have done this for every one that has come in.
The problem is that the file changes slightly every time but has the same BEHAVIOR and there is no SIGNATURE for the DOC file but it is the same BEHAVIOR.
Somewhere around line 143 in Notepad++ (a text editor) the code below shows up. This is the same BEHAVIOR of every DOC file we have seen, yet it always gets past our Sophos UTM and Sophos Endpoint Anti-Virus on the computer.
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿãÔ [1] stp1.exe C:\Aaaa\exe\stp1.exe
' C:\Users\M\AppData\Local\Temp\stp1.exe
This is very disconcerting.
This thread was automatically locked due to age.
