Two Waves of Malformed Malspam Arrive in Mailboxes

 Analysis by: Cedrick Ramos

More news on the malicious spam front - we recently received two waves of what appears to be malformed malspam. The first one has 'Supplement payment [Random Number]' for its subject heading, while the other one is passing itself off as a 'Document invoice_[Random number]_sign_and_return.pdf is complete' notification. Int his particular context, 'malformed' means that something went wrong in the sample's creation process, which in turn means that it can't work like it's supposed to.

As such, these malformed mails will not infect the machine of their recipient and are thus harmless. However, we found out that an attachment can be retrieved from the email codes. This will reveal a malicious .7z attachment - which, when extracted, will produce .vbs files. These files of course will run malicious codes when executed.

Upon investigation, the file attachments of the replicated mails are already detected as VBS_NEMUCOD.ELDSAUU.

Users are advised to always take caution in clicking attachments from emails, especially if they come from unknown senders. Trend Micro customers are of course protected from all aspects and elements of this threat.

 SPAM BLOCKING DATE / TIME: October 12, 2017 GMT-8
  • ENGINE:8.0
  • PATTERN:3390