Fake DOC invoice - ran the file


Hello,
 
Today at work I came across a fake email message with a DOC file attached (a fake invoice).
 
I knew it was a malicious file, but I forwarded the mail to my personal address and launched it at home to test Webroot.
 
With Webroot correctly enabled, and connected to Internet, launching the DOC with Word 2016 and allowing Macros let the virus run (10+ "CMD.EXE" processes were created, entries to the registry were saved, RUNDLL TMP files were launched etc.) without ANY reaction from Webroot antivirus (no popups, no process activity, nothing).
 
I let the virus ran for 10 seconds, then I rebooted my computer. Still no reaction from Webroot.
 
How does Webroot is supposed to react when a virus infection is spreading in real time ?

3 replies

Userlevel 7
Hi Moi
 
Firstly, we do not recommend or support amateur malware testing & secondly discussion of such is contrary to Community Guidelines.
 
Having said that if you believe that you have identified an issue with WSA then your best apparoach would be to Open a Support Ticket to advise the Support Team of the circumstances so that they can investigate.
 
In the interim you can check whether the .DOC fiel is indeed infected/carrying malware by submitting it to Webroot for analysis using this site. Give that a try to confirm as to whether the premise of your post is true or in fact flawed.
 
Regards, Baldrick
Hello,
 
The file seems to be infected, according to VirusTotal :
 
https://www.virustotal.com/fr/file/0c7a1028181d56d554846a3028177740f4fa56adf345fc588a409ad0451f6ffa/analysis/1464669509/
 
I have submitted the file to Webroot.
Userlevel 7
Hi Moi
 
Well, it certainly looks like it is from what is coming back from VirusTotal. Probably one of the few files that may not have been 'seen' yet by the Webroot Cloud...but with your reporting f it I am sure that will be put right in fairly short order.
 
Thanks for posting.
 
Baldrick

Reply