Medium
The adversary spoofs a World Health Organisation email and pretends to provide recommendations to the victim:
The shortened link redirects to a URL that serves a malicious Word document:
The two embedded documents are the same and are DOS batch files unknown on VT. When you look at the file, it is heavily obfuscated using Chinese characters: This script is a downloader and grabs another script via Powershell. The new script is obfuscated in the same way. Once launched, It changes system registry keys to affect system security. The script is also a downloader and grabs another stage via Powershell. This time, it’s a piece of Javascript code processed via mshta.exe.
Domain Name
Email Subject
Filename
MD5
SHA-256
Source IP
URL