What could zipped exe be attached to suspicious e-mail?

A friend in California forwarded a suspicious e-mail to me to check out:

"From: Notice to Appear

Sent: Saturday, December 28, 2013 11:12 AM

Subject: Notice to appear in court NY5002

Notice of appearance,

Hereby you are informed that you are due in the court of New York

on the 16 of January, 2014 at 11:00 am for the hearing of your case.

You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.

Please, download the copy of the court notice attached herewith to read the details.

Note: The case may be heard by the judge in your absence if you do not come.

Yours truly,

Anderson King

Clerk to the Court."

But the "Notice to Appear" in the from was support.3 at a major worldwide law firm with an office in NY (likely forged), and "Clerk to the Court" looks fishy (shouldn't that be "Clerk of the Court"). And it does not say which court or case they are referring to (no address, phone#, etc.). Unfortunately I cannot see full headers of the original message in the forwarded copy, so I cannot tell where it really might have originated from.

The attachment was a zip file containing a 173056 byte file called Court_Notice_NY_Meagher_and_Flom.exe which I extracted in Linux. The "file" command in Linux shows it as: PE32 executable (GUI) Intel 80386, for MS Windows, and looking at it with a hex/ascii editor shows near the beginning that it will not run in DOS mode. Scanning the file with MS Security Essentials or Malwarebytes in Windows does not reveal anything.

So I am just curious what this file could be or its purpose. Who in their right mind is going to run a suspicious exe file, other than a clueless Windows user who has not enabled file extensions to be shown? Certainly if this was something legitimate it should be some operating system independent file, like a pdf, not a Windows only file.

5 Answers

  • 7 years ago
    Favorite Answer
  • 7 years ago

    XXXXXXXXX.exe's are NOT allowed in ANY email. IF any infection is there, by opening or clicking, a user would be directed to the actual site delivering the payload.

    Several things would have to be considered, Is the file in question Packed(To prevent Reverse Engineering) and is it Obfuscated(And how many times)

    I would be more than happy to analyze it for you

  • 7 years ago

    Court's can't/don't send summonses by e-mail. It's all personal delivery or U.S. Postal Service.

  • 7 years ago

    It your asking what it is it's most likely a auto run for installing a fake antivirus and so on here's a video of what it would look like if you run it with no malware protection and or virus.


    Youtube thumbnail

  • How do you think about the answers? You can sign in to vote the answer.
  • 7 years ago

    thats why most of the email providers have a option called scan the attachment for this purpose only so they dont let you easily effect your computer

Still have questions? Get your answers by asking now.