2018-05-09 - MALSPAM USING PASSWORD-PROTECTED WORD DOCS STILL ACTIVE

ASSOCIATED FILES:

 

NOTES:


Shown above:  What I saw today from malspam sent by this campaign.

 

IMAGES


Shown above:  Screenshot of the spreadsheet (part 1 of 2).

 


Shown above:  Screenshot of the spreadsheet (part 2 of 2).

 


Shown above:  Screenshot of an email from this campaign on 2018-04-30.

 


Shown above:  Screenshot of an email from this campaign on 2018-05-04.

 


Shown above:  Screenshot of an email from this campaign today on 2018-05-09.

 


Shown above:  Attached Word documents are password-protected.

 


Shown above:  After entering the password, enabling macros will infected a vulnerable Windows host.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Background image for the desktop of my infected Windows host.

 


Shown above:  Going to the Sigma ransomware decryptor using a Tor browser.

 


Shown above:  The Sigma ransomware decryptor page.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.