Malware

MalwareBazaar: Malicious attachment hash (trusted reporters)
Jun 2, 2023 · MalwareBazaar Abusech Suspicious attachment Malware ·
Share on:
Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from first-time senders.

Read More
Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment
May 19, 2023 · Suspicious attachment HTML smuggling QakBot Malware ·
Share on:
Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.

Read More
Link to auto-downloaded disk image in encrypted zip
May 19, 2023 · QakBot Suspicious link Malware HTML smuggling ·
Share on:
A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot.

Read More
Link to auto-downloaded file with Adobe branding
May 19, 2023 · HTML smuggling Suspicious link Brand impersonation Malware QakBot ·
Share on:
A link in the body of the email downloads a file from a site that uses Adobe branding as employed by threat actors, such as Qakbot.

Read More
Link to auto-downloaded file with Google Drive branding
May 19, 2023 · HTML smuggling Suspicious link Brand impersonation Malware QakBot ·
Share on:
A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.

Read More
Attachment: Archive with embedded CHM file
Feb 21, 2023 · Suspicious attachment Malware ·
Share on:
Recursively scans files and archives to detect embedded CHM (Microsoft Compiled HTML Help) files.
According to CERT-UA, on March 7, 2022, phishing attacks targeted state organizations of Ukraine using Zip files with embedded CHM documents, which themselves contained malicious VBScript inside a .htm file. The activity is associated with UNC1151, according to CERT-UA.

Read More
Attachment: Archive with embedded EXE file
Feb 21, 2023 · Suspicious attachment Malware ·
Share on:
Recursively scans files and archives to detect embedded EXE files (with an MZ header).
According to The Record, on June 7, 2021, the Ukrainian Secret Service attributed an attack that used this technique to the "special services of the Russian Federation".
The spear-phishing operation urged recipients to download a RAR archive included in the email, which, when decompressed, would drop an EXE file with a double extension (filename.pdf.exe) that tried to pass as a PDF file.

Read More
Attachment: Malicious OneNote Commands
Feb 21, 2023 · Suspicious attachment Malware ·
Share on:
Scans for OneNote attachments that contain suspicious commands that may indicate malicious activity.

Read More
Link to auto-download of a suspicious file type (unsolicited)
Feb 21, 2023 · HTML smuggling Suspicious link Malware ·
Share on:
A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
Recursively explodes auto-downloaded files within archives to detect these file types.
This technique has been used by known threat actors in the wild.

Read More
Inline image as message with attachment or link
Oct 26, 2022 · Malware Credential phishing ·
Share on:
Using inline images in lieu of HTML or text content in the message is a known technique used to bypass content based scanning engines.
We've observed this technique used to deliver malware via attachments and phish credentials.

Read More