Scanner sent you a document? Beware of malware attack

Graham Cluley
Graham Cluley
@[email protected]


Here is an email I received this morning, claiming to come from an email address at my domain name: [email-obfuscate email=”[email protected]” linkable=”0″].

Scanner malware

The email is fairly perfunctory with its subject line of “Scan from KM1650”, and its body text of “Please find attached your recent scan”.

Sign up to our free newsletter.
Security news, advice, and tips.

Attached to the file is a Microsoft Word document called =SCAN7318_000.DOC.

Now, this might be slightly plausible if I had a scanner attached to my network which I had configured to email me scans. But I don’t.

One assumes the criminals behind the attack are banking that my place of work uses a Kyocera KM-1650 multi-function printer, or that I’m simply so excited about receiving an email from a scanner that I would open the attachment without even thinking.

Of course, if you receive the malware in your email chances are that it won’t claim to be from [email-obfuscate email=”[email protected]” linkable=”0″]. Instead, it will probably pretend to be [email protected] instead, where matches the domain and tld of your email address.

There has been a long history of cybercriminals spamming out malware pretending to be from printers and scanners, and there have been a number of recent campaigns suggesting that it’s a disguise that continues to dupe the unwary.

WordA quick check on VirusTotal reveals that relatively few anti-virus products are identifying the malware presently, but I can tell you that the Word document contains auto-executing macros that attempt to download further malicious code from the net designed to infect your Windows PC.

Always be suspicious of unsolicited emails, and be wary of opening files which may be attached to them. Acting recklessly with the contents of your inbox could mean your computer ends up compromised and your bank account plundered.

Repeat after me:

“Thou shalt not open dodgy-looking attachments in unsolicited emails”

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “Scanner sent you a document? Beware of malware attack”

  1. coyote

    Just a thought that might make this a bit easier to understand (for many people):

    'matches the domain and tld of your email address.'

    When I first read that the font and my tired head made me read the L as 'I' but then I realised that it is actually 'L' (I suppose that's another reason to write the abbreviation in upper case). I know most won't know what it is and most won't care but you could just explain it away by saying (just to give an example):

    'where is your email domain' (because after all people think of as a domain even though it's not that simple). Or another way:

    'where is what's after the @ in your email address'

    Because let's be honest. Most people owning domains won't understand what top level domain means and even if they do they probably don't understand the (subtle) difference between a zone and a domain (or much of anything in DNS other than it maps from name to IP and IP to name). Besides administrators very few would even care about this as long as it works.

  2. drsolly

    9 hours later – 5 out of 54 products flag it.

    Antivirus software usually does not protect you against emailed trojans.

  3. Simon

    As someone with only a basic knowledge of TLDs etc and the full workings of email my question is how exactly does a spammer make the email appear to come from your email address when it has not been compromised? How do you send an email that looks like it comes from [email protected] when you have not first hacked and taken control of Are they just altering the 'reply to' address and my basic email program isn't able to/set up to display the full email header which would show the true origin email address?

    1. Sam-Elie · in reply to Simon

      I know this is old but i thought i'd give you the info anyways..
      Anyone with a proper email server software (which can be obtained for free and installed easily on any OS), or access to an open email relay server can send whatever email they like..setting the FROM part of the email to whatever they want.
      Luckily most email service providers (at the receiving end) filter for that, calling it SPAM and sending it to your junk box or even totally rejecting the message.

      A few examples of filtering methods used at the providers level would be, RDNS, SPF, Matching IP to MX entries, Email content Analysis (spamAssassin and the likes…).
      Some, like myself, even go a few steps further to ensure the SPAM is kept out by constantly monitoring and detecting the ever renewing methods of SPAMing and implementing counter measures to stop them.
      One other method which i've found to be quite effective is to use BlackLists (DNSBL). Those are lists of IP addresses (hence computer station or a network of) that have a reputation of constantly sending spam. these lists help mitigate over 90% of SPAM.

      I hope this was informative enough.

  4. Watermeloon

    just got this too

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.