Malware Email : “Your Invoice # 075116” | [email protected]

Yesterday I received the suspicious email below which had an “invoice” attached

The pdf attachment contains a javascript that will try to launch an embedded file.

Statically analysing the file

The sample extracted is (adffff8a8b174bdc9f8e9d4e4ce53f7a HJHZOOLJL.docm) is already detected by multiple engines (14/58 VT)

if the user chooses to open the file, it will be presented with a word file asking him to enable macros

Enabling the macro will execute the malicious VBA modules (pastebin) and attempt to download jaff ransomware (VT 27/61) – wireshark capture illustrating the GET request (XORed sample)

Running the sample in sandbox environment would encrypt your personal files (*.jaff)


Leave a Reply