It might be a targeted attack, given that we detected it only in one organization, or it might just be an ancient infection still attempting to propagate. In both cases it is an interesting case.
The email has a spoofed envelope-from and header-from: email@example.com (the mispelling is original)
The variable WriteData is 174592 characters long and contains the payload that will be written to a file named svchost.exe and then executed. The final binary file is 56320 bytes long and it’s sha265 hash is
It is a well know trojan, first detected in 2010.
Here is what virustotal knows about it:
And here is the analysis performed by the sandbox at hybrid-analysis:
This is likely due to a sloppy auto-generation of the text entity that greatly increases the email size for no reason.
Our systems detected this attack yesterday in a single organization in the UK, making us wonder whether this is a targeted attack.
But, really, a targeted attack using a 9 year old malware?
It looks quite strange especially considering that the payload is delivered through a vbscript embedded in the html entity of the email, which is something that virtually every email security solution detects and disarms.
Curious things happen. If you detected something similar recently, feel free to get in touch with me.
If this is a 9 year old infection still propagating, it is by itself worth of some thoughts.