Full Report
A novel phishing attack abuses Microsoft's Word file recovery feature by sending corrupted Word documents as email attachments, allowing them to bypass security software due to their damaged state but still be recoverable by the application. [...]
Analysis Summary
The provided article description is very brief and focuses on the *method* of attack (a novel phishing campaign using corrupted Word documents to evade security) rather than detailing a specific, named malware family, tool, or framework. Therefore, the summary will focus on the described technique and the likely associated malware/tools involved in such a campaign.
# Tool/Technique: Phishing Campaign using Corrupted Word Documents
## Overview
This describes an ongoing phishing campaign that utilizes specially crafted or "corrupted" Microsoft Word documents as the initial infection vector. The primary goal is to bypass standard security controls (like file scanners or static analysis) by using the malformed document structure as an evasion technique, ultimately leading to malware execution on the victim's system.
## Technical Details
- Type: Technique (Delivery Mechanism/Initial Access)
- Platform: Microsoft Windows (implied, due to Word document focus)
- Capabilities: Evasion of security tools via malformed file structure; typically leads to initial code execution (e.g., via macros, OLE objects, or file format parsing flaws).
- First Seen: Context does not specify, but described as "Novel."
## MITRE ATT&CK Mapping
Since the context describes the delivery method, the mapping focuses on Initial Access and potential Execution:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
## Functionality
### Core Capabilities
- Delivery of malicious payload via email attachment disguised as a legitimate document.
- Exploitation or manipulation of Microsoft Word file structure or embedded objects to trigger hidden code.
### Advanced Features
- **Evasion:** The technique relies on corrupting or obfuscating the file structure in a manner that traditional antivirus software fails to properly parse or scan, thus evading detection at the file level. This often involves exploiting file parser vulnerabilities or using highly obfuscated document settings.
## Indicators of Compromise
*(Note: Since the description is general, specific IOCs are not provided in the source material. Below indicates expected IOC categories for this type of attack.)*
- File Hashes: [Specific hashes of the corrupted DOC/DOCX files would be relevant]
- File Names: [Commonly used lure names (e.g., Invoice*, PO*, Confidential*)]
- Registry Keys: [Associated with persistence setup by the secondary malware payload]
- Network Indicators: [C2 addresses/domains for the secondary malware payload]
- Behavioral Indicators: [Suspicious process creation chain, e.g., `WINWORD.EXE` spawning `powershell.exe` or file creation/modification in user directories post-document opening.]
## Associated Threat Actors
- [General financially motivated criminal groups often employ complex delivery methods like this.]
- [Specific threat actors known for file-based evasion techniques, if more context were provided.]
## Detection Methods
- Signature-based detection: Signatures specific to the final payload dropper, or known malicious file structures if the specific corruption technique is recognized.
- Behavioral detection: Monitoring for Microsoft Office applications executing system commands (`cmd.exe`, `powershell.exe`), downloading secondary files, or writing executables to unusual locations.
- YARA rules: Rules targeting specific strings or structural anomalies within common Office file formats related to known malicious macros or embedded exploits.
## Mitigation Strategies
- Prevention measures: Disabling macros by default in Office; using protected view for downloaded files.
- Hardening recommendations: Implementing application control (e.g., AppLocker) to restrict execution of scripts or unverified executables launched by Office applications. Educating users on suspicious attachments.
## Related Tools/Techniques
- Macro-based malware delivery (e.g., Emotet, TrickBot historically used heavily obfuscated VBA).
- Exploitation of OLE objects within Microsoft Office documents.
- Malicious script execution via CVEs affecting Microsoft Office parsers.