I haven’t seen any examples of this Resume malware for a while now, so when this popped up in my spam folder, it looked interesting enough to investigate a bit more. This is a continuation from these 4 previous posts about malware using resumes or job applications as the lure. They have changed behaviour again since that post was written and it is time to once again update the details.
The primary change in delivery method is once again the use of a password for the word doc to try to bypass antivirus filters. However there does appear to be big differences in the malware itself to previous versions.
Today’s version does not appear to be using Smoke Loader /Sharik trojan as an intermediate downloader for other malware, which has been the previous behaviour with these fake resume emails. Instead it appears to download Sigma ransomware directly.
I have had major problems analysing these today. Either I am too stupid to work out how to insert passwords on the majority of sandbox systems or their documentation & instructions leaves something to be desired. The only way I can ever get a password protected word doc to run is to use Anyrun app which interactively allows me to insert the password, in the same way a “normal” recipient would.
Next the actual malware downloaded was so slow to download that AnyrunApp couldn’t retrieve it. it took just over 3 minutes to download directly for me
I gave up trying to insert the password in the sandboxes so removed it from the word doc & uploaded a “fixed” copy with no password to all sandboxes except anyrun. I still couldn’t get it to run in Cape sandbox . HA and Anyrun gave the same error about “cannot locate the resource specified).
To read the original article: