Malware-Traffic-Analysis.net - 2018-10-26 - Malspam with password-protected Word docs now pushing GlobeImposter ransomware

2018-10-26 - MALSPAM WITH PASSWORD-PROTECTED WORD DOCS NOW PUSHING GLOBEIMPOSTER RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

Email: 2018-10-26-password-protected-Word-doc-malspam.eml.zip 33 kB (33,288 bytes)

2018-10-26-password-protected-Word-doc-malspam.eml (57,031 bytes)

Traffic: 2018-10-26-GlobeImposter-ransomware-from-password-protected-Word-doc-malspam.pcap.zip 346 kB (346,058 bytes)

2018-10-26-GlobeImposter-ransomware-from-password-protected-Word-doc-malspam.pcap (647,693 bytes)

Malware: 2018-10-26-malware-and-artifacts-from-GlobeImposter-infection.zip 363 kB (362,549 bytes)

2018-10-24-attached-word-document-password-1234.doc (39,936 bytes)

2018-10-26-GlobeImposter-artifact-tmpDAE3.tmp.bat.txt (448 bytes)

2018-10-26-GlobeImposter-instructions-YOU_FILES_HERE.txt (1,597 bytes)

2018-10-26-GlobeImposter-ransomware-qwerty2.exe (603,648 bytes)

NOTES:

This malspam with password-protected Word documents that were pushing Nymaim (and before that Neutrino), is now back to pushing ransomware.
Below are write-ups I've written on malware associated with waves of malspam from this campaign:

2018-09-28 - More malspam with password-protected Word docs pushing Nymaim

2018-09-21 - Malspam with password-protected Word docs still pushing Nymaim

2018-09-17 - Quick post: Malspam with password-protected Word docs pushes Nymaim

2018-09-06 - Malspam with password-protected Word docs pushes AZORult then Neutrino

2018-08-21 - More malspam with password-protected Word docs, now pushing Neutrino

2018-08-15 - More malspam pushing password-protected Word docs for AZORult and Hermes Ransomware

2018-07-27 - Malspam with password-protected Word docs pushes Hermes ransomware

2018-07-23 - Malspam with password-protected Word docs pushes AZORult then Hermes ransomware

2018-06-04 - Malspam with password-protected Word docs pushes Gandcrab ransomware

2018-06-04 - Malspam with password-protected Word docs pushes Sigma ransomware

2018-04-20 - Malspam with password-protected Word docs pushes GlobeImposter ransomware

2018-03-14 - Malspam with password-protected Word docs pushes Sigma ransomware

IMAGES

Shown above: Screenshot from an email example.

Shown above: The attached password-protected Word document.

Shown above: Traffic generated after unlocking the Word doc and enabling macros.

Shown above: No post-infection traffic for the infection, just a bunch of encyrpted personal files.

Shown above: To top it off, the decryption page wasn't working.

Shown above: Some artifacts from the infection.

Shown above: Saw a VBS file in the startup folder.

Click here to return to the main page.