{"id":352,"date":"2022-03-01T00:36:57","date_gmt":"2022-03-01T00:36:57","guid":{"rendered":"https:\/\/nftsgary.com\/?p=352"},"modified":"2023-04-03T10:50:29","modified_gmt":"2023-04-03T10:50:29","slug":"fake-visa-notification-with-password-protected-word-doc-delivers-malware","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/fake-visa-notification-with-password-protected-word-doc-delivers-malware\/","title":{"rendered":"Fake Visa Notification With Password Protected Word Doc Delivers Malware"},"content":{"rendered":"
An email with the subject of Fwd: derek ( recipient\u2019s name) pretending to come from Pamela <logo@mensperl.edu> ( probably random senders) with a malicious word doc attachment delivers some sort of malware, but I don\u2019t know what<\/p>\n
The word doc is passworded and you need to use the password from the email body to open it. Once you use the password and enable content, then a macro runs that downloads a jpg file, which is actually a renamed .exe file. I can\u2019t get the .exe to do much on any of the sandboxes I tried. It seems to drop a version of Tor browser but doesn\u2019t seem to do much else. I did get a couple of NSIS installer warnings. I don\u2019t know if that is due to it trying to run in a sandbox or VM and having anti-analysis protection or whether it is genuinely a buggy\/broken installer.<\/p>\n
They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment.<\/p>\n
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.<\/p>\n
You can now submit suspicious sites, emails and files via our Submissions system<\/strong> The email looks like:<\/p>\n From:<\/strong> Pamela <logo@mensperl.edu> Just contains an image ( see below screenshot)<\/p><\/blockquote>\n derek_scan.doc Current Virus total detections<\/strong>: Anyrun Beta<\/a> |
\nIt doesn\u2019t look like the alleged sender has been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails. It appears that their email address has been spoofed<\/p>\n
\nDate:<\/strong> Fri 01\/12\/2021 05:59
\nSubject:<\/strong> Fwd: derek
\nAttachment:<\/strong> derek_scan.doc<\/p>\nBody Content<\/strong>:<\/h3>\n
\nCurrent Virus Total Detections Link https:\/\/www.virustotal.com\/en\/file\/be3852eea1c2de1a9dd6dbbd6de9fe8330413989211f2e466b2b1c4d4c87a02b\/analysis\/1512109411\/
\nWord doc with password removed (VirusTotal<\/a>) ( Hybrid Analysis<\/strong>)
\nHybrid Analysis Link https:\/\/www.hybrid-analysis.com\/sample\/ec9d519ea6c683f8813af50db2135a51bab17afd610095464ad7fda1cf836ae7?environmentId=100
\nThis malware downloads from http:\/\/ypg7rfjvfywj7jhp.onion.link\/icon.jpg renamed to svchost.exe by the macro on download ( VirusTotal<\/a>) ( Hybrid Analysis <\/a>) ( JoeSandbox) ( Anyrun Beta<\/a>)
\nWord doc when first opened looks like this and you need to insert the password from the email body
\nWord doc after inserting password, telling you to enable editing & content<\/p>\nEmail Headers:<\/strong><\/h3>\n