More malspam pushing password-protected Word docs for AZORult and Hermes Ransomware

Published: 2018-08-15
Last Updated: 2018-08-15 22:32:54 UTC
by Brad Duncan (Version: 1)
0 comment(s)


This is a follow-up to a previous diary from last month on malicious spam (malspam) distributing password-protected Word docs with malicious macros designed to infect vulnerable Windows computers with ransomware.


Today, I found five examples of malspam with password-protected Word docs using 1234 as the password.  The Word doc had a malicious macro that retrieved AZORult malware.  The AZORult malware conducted callback traffic, then the infected host retrieved Hermes ransomware.

Shown above:  Screen shot of a malspam example from today (1 of 2).

Shown above:  Screen shot of a malspam example from today (2 of 2).

Shown above:  Opening the password-protected Word doc on a Windows host.

Shown above:  After entering the password, a victim must enable macros.

Shown above:  Traffic from an infection filtered in Wireshark.

Shown above:  Desktop of an infected Windows host.


Malspam information from 5 email samples: 

  • Date:  Wednesday 2018-08-15
  • Received: from ([])
  • Received: from ([])
  • Received: from ([])
  • Received: from ([])
  • Received: from ([])
  • From:  Karan Fabiano =?UTF-8?B?wqA=?= <>
  • From:  Eloisa Liechty =?UTF-8?B?wqA=?= <>
  • From:  "Edgar Blanding =?UTF-8?B?wqA=?=" <>
  • From:  "Jackqueline Wroblewski =?UTF-8?B?wqA=?=" <>
  • From:  "Toni Cerulli =?UTF-8?B?wqA=?=" <>
  • Subject:  Invoice Due
  • Attachment name:  Invoice.doc

Network traffic:

  • port 80 - - GET /azo.exe
  • port 80 - - POST /index.php (AZORult traffic)
  • port 80 - - POST /index.php (AZORult traffic)
  • port 80 - - GET /hrms.exe

Associated malware:

Contact info from the decryption instructions:

  • primary email: 
  • reserve email: 

Final words

As usual, properly-administered and up-to-date Windows hosts are not likely to get infected.  System administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.

Pcap and malware associated with today's diary can be found here.

Brad Duncan
brad [at]

0 comment(s)


Diary Archives