Reading spam for a breakfast

Today I woke up at 5:00 AM and I decided that this is a great moment to read some SPAM. ;) Coffee is ready so here we go...

We will start here:

 

As you can see there are few emails marked as 'spam'. Let's try the one called 'fvVAT' with zipped attachement (popular idea to send fake "invoice"):

 

I decided to download attachement to my lab VM and read it ;)

 Invoice in VBE - nice. ;) Checking:

 As you can see there are few blank lines. Let's check the rest of the file:

Looks promising:

I move VBE file to Kali VM:

Ok, now we can proceed:

I changed the name of the file to .vbe to see some more colors:

It's better now:

As you can see file is trying to do a request to remote web server:

I believe this is the main part of the script:

The rest of the file looks like this:

Before I started deobfuscation I decided to check if this is a known spam campaign or not:

Looks like this is our file ;)

Remember to read your emails carefully. Soon we'll have Xmas so there will be more spam ;)

More cases related to malware you will find described here.
Here you will find the details I found from Hybrid Analysis.

See you next time!

Cheers