0
1
An email with the subject of Fwd: derek ( recipient’s name) pretending to come from Pamela <logo@mensperl.edu> ( probably random senders) with a malicious word doc attachment delivers some sort of malware, but I don’t know what
The word doc is passworded and you need to use the password from the email body to open it. Once you use the password and enable content, then a macro runs that downloads a jpg file, which is actually a renamed .exe file. I can’t get the .exe to do much on any of the sandboxes I tried. It seems to drop a version of Tor browser but doesn’t seem to do much else. I did get a couple of NSIS installer warnings. I don’t know if that is due to it trying to run in a sandbox or VM and having anti-analysis protection or whether it is genuinely a buggy/broken installer.
Update: I am reliably informed that it is Sigma ransomware which appears to only run on a real computer, not a VM or Sandbox
They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
to read the original article:
