Malware Email : “Your Invoice # 075116” | [email protected]

Yesterday I received the suspicious email below which had an “invoice” attached

The pdf attachment contains a javascript that will try to launch an embedded file.

Statically analysing the file

The sample extracted is (adffff8a8b174bdc9f8e9d4e4ce53f7a HJHZOOLJL.docm) is already detected by multiple engines (14/58 VT)

if the user chooses to open the file, it will be presented with a word file asking him to enable macros

Enabling the macro will execute the malicious VBA modules (pastebin) and attempt to download jaff ransomware (VT 27/61) – wireshark capture illustrating the GET request (XORed sample)

Running the sample in sandbox environment would encrypt your personal files (*.jaff)

 

Share this Story!Email this to someoneShare on Google+0Share on Facebook0Tweet about this on TwitterPin on Pinterest0Share on Reddit0Share on LinkedIn0

Leave a Reply