There was a phishing email that came in the other day that looked interesting. When I went to the URL found in the PDF, it linked to an ARJ archive file. Once i downloaded this file and extracted it, I saw that there was a VBScript file. Opening this file…
Looking through the email filters in on the 18th of September, I managed to find a small batch of emotet emails from the same sender. The emails themselves tried to spoof email addresses, but Outlook ended up displaying both emails (the spoof and the true sender). Looking through the small…
So this post covers the malicious macro script that was found in an older writeup for Emotet which you can find here. While one could develop tools to help deobfuscate the macro script like @David Ledbetter did in his blog post, I wanted to show another way of doing it…
For today’s post, I am walking through an Emotet malspam that we received this past Friday that contained a simple link that lead to a macro enabled Word document. Googling around I see that @dvk01uk came across the same URLs 5 days ago. You can read that post here. Running…
Just a quick one for today. I saw Brad’s tweet about a sample of Blank Slate malspam and decided to see if I could find some today while at work. Thankfully the email filters did their job and all of them were blocked. Brad also blogged about this over on…
So last week I came across some malspam that used a PDF with an embedded Word document in it that encrypted my test VM with Jaff ransomware which I discussed here. Trying to figure out how the script worked, I came across some aspects/things that I had not seen done…
Just a quick post for today’s blog. Once again went digging through some emails looking for some badness and came across an email that had a zipped Javascript file in it. Seeing this I thought that I would take a crack at trying to deobfuscate the script. I’ll post later…
This investigation stems from a maldoc that was sent to us yesterday. It is your standard maldoc that requires you to enable content in order to get the embedded script to run. From the looks of it, the malware that is used in this infection is Smokeloader/Dofoil. For more information…
So for today’s update, a change of pace. A couple of weeks ago I came across a Tweet from someone that I follow on Twitter. Unfortunately I can’t find the one that caught my eye, but the link was to Open Analysis Live’s video. The video was covering an “user…