Rewterz Threat Alert – Buran Ransomware Infects PCs via Microsoft Excel Web Queries

Tuesday, November 19, 2019



Analysis Summary

A new spam campaign has been spotted distributing the Buran Ransomware through IQY file attachments. When opened, these Microsoft Excel Web Query attachments will execute a remote command that installs the ransomware onto a victim’s computer.

A new malspam campaign was discovered by security researcher Suspicious Link that pretends to be a simple fwd of a previous email stating that the user should “Print document in attach”.

Malspam Email

This attached document is an IQY file that when opened will execute a web query, or remote command, given by a remote server that uses PowerShell to install the Buran Ransomware. IQY files, they are Excel Web Query documents that when opened will attempt to import data into a worksheet using external sources. For example, as shown below, the attached IQY file is simply a text file that specifies its data will come from the web and be retrieved from the listed URL.

IQY Attachment

The data returned from an external source can also be an formula that is then executed by Excel when the IQY file is opened. In this particular case, the formula will launch a PowerShell command that downloads a remote Buran Ransomware executable named 1.exe, saves it to the Temp folder, and then executes it.

Remote command to execute

Like malicious macros, users first need to enable the data source, but as we have seen with other spam campaigns, too many people blindly click on the Enable button.

IQY File in Excel

If the user clicks on Enable, the 1.exe file will be downloaded and executed, which will start to encrypt the files on the computer.

Buran Encrypted Files
Buran Ransom Note


File encryption


  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Users can also block IQY files in Excel.

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 6, December 2019 Rewterz Threat Advisory – CVE-2019-14899 – New Linux Vulnerability Inferring and hijacking VPN-tunneled TCP connections
  • 6, December 2019 Rewterz Threat Advisory – CVE-2019-18232 – ICS: Thales DIS SafeNet Sentinel LDK License Manager Runtime Privilege Escalation Vulnerability
  • 5, December 2019 Rewterz Threat Alert – “ZeroCleare” Targets Energy Sector in the Middle East
  • 5, December 2019 Rewterz Threat Alert – CStealer Trojan Targeting Chrome Passwords

Copyright © Rewterz. All rights reserved.