I use anonymous messengers a lot, since I’m not a fan with the idea that cooperates are training AI models using my data. Before self-hosting a matrix server, I used Telegram mainly with my family just for the sake of privacy (and also for my dad who lives in China who deserves the freedom of speech too, at least within the family).

I still have the Telegram account and I still use it to call because there is a mysterious bug where calls via matrix/element will hang up on its own when I’m talking to my mom. Only to her.

Today I received a message from a stranger on Telegram, saying “The bills don’t add up, have a look”. Out of curiosity, I downloaded the file and started examining it.

The file stands out from all files I’ve seen from the first second with its unseen file extension .xlsx.UUC. It seems like this file format is a Microsoft Excel document encoded with UUC encoding ?

Safety first, without doing anything with the file, I threw the file onto VirusTotal to have a look. 3/56 security vendors and no sandboxes flagged this file as malicious. Microsoft marked this file as “Trojan:Win32/Wacatac.B!ml”. I then supposed that this is a malicious file designed for Windows and proceed to understand how it all works, with caution.

I then used the less command in the terminal to see the raw contents of the file.

Raw content of the attachment file

You can clearly see that it’s not encoded with UUC, UUC is made to encode binary to text for the ease of use with email. Right at the start of the file, the signature “Rar!” made me think that this might be a RAR archive file.

I then renamed the file extension from .xlsx.UUC to .rar and unzipped it. With no surprise, the file unzipped is a Windows executable with the well-known extension .exe. This time I uploaded the same file to VirusTotal, 9/61 warnings this time.

When I have more time to spare, I’ll look into what kind of virus this is and how does “Trojan:Win32/Wacatac.B!ml” work.