fake Visa notification with password protected word doc delivers malware

An email with the subject of Fwd: derek ( recipient’s name)  pretending to come from Pamela <logo@mensperl.edu> ( probably random senders)  with a malicious word doc attachment  delivers some sort of malware, but I don’t know what

The word doc is passworded and you need to use the password from the email body to open it. Once you use the password and enable content, then a macro runs that downloads a jpg file, which is actually a renamed .exe file.  I can’t get the .exe to do much on any of the sandboxes I tried. It seems to drop a version of Tor browser but doesn’t seem to do much else. I did get a couple of NSIS installer warnings. I don’t know if that is due to it trying to run in a sandbox or VM and having anti-analysis protection or whether it is genuinely a buggy/broken installer.

Update: I am reliably informed that it is Sigma ransomware which appears to only run on a real computer, not a VM or Sandbox

They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment.

Remember many email clients, especially on a mobile phone or tablet,  only show the Name in the From:  and not the bit in <domain.com >. That is why these scams and phishes work so well.

to read the original article:

https://myonlinesecurity.co.uk/fake-visa-notification-with-password-protected-word-doc-delivers-malware/

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *