fake Visa notification with password protected word doc delivers malware

Haythem Elmir

An email with the subject of Fwd: derek ( recipient’s name)  pretending to come from Pamela <logo@mensperl.edu> ( probably random senders)  with a malicious word doc attachment  delivers some sort of malware, but I don’t know what

The word doc is passworded and you need to use the password from the email body to open it. Once you use the password and enable content, then a macro runs that downloads a jpg file, which is actually a renamed .exe file.  I can’t get the .exe to do much on any of the sandboxes I tried. It seems to drop a version of Tor browser but doesn’t seem to do much else. I did get a couple of NSIS installer warnings. I don’t know if that is due to it trying to run in a sandbox or VM and having anti-analysis protection or whether it is genuinely a buggy/broken installer.

Update: I am reliably informed that it is Sigma ransomware which appears to only run on a real computer, not a VM or Sandbox

They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment.

Remember many email clients, especially on a mobile phone or tablet,  only show the Name in the From:  and not the bit in <domain.com >. That is why these scams and phishes work so well.

to read the original article:


Laisser un commentaire

Next Post

HP Silently Installs Telemetry Bloatware On Your PC—Here's How to Remove It

Do you own a Hewlett-Packard (HP) Windows PC or laptop? Multiple HP customers from around the world are reporting that HP has started deploying a « spyware » onto their laptops—without informing them or asking their permission. The application being branded as spyware is actually a Windows Telemetry service deployed by HP, […]