Malspam Contains Password Protected Document That Downloads Sigma Ransomware

Follow me on Twitter

I received some malspam on 03/13/18 entitled “About a internship.” The email came with an attachment called “Janeen Resume.doc”:


The email is pretending to come from somebody interested in a job opening and they have attached their “résumé.” In reality, this document is being used as a downloader for Sigma ransomware.

Opening the document confirms that it is password protected:

password protected box

Inputting the password presents the victim with some instructions:

word doc

I typically scan malicious Office documents for embedded macros using tools like and However, if you were do this before removing the password then you wouldn’t get any detections:

No luck

To get around this, I simply removed the password and saved the document.

document is password protected

Here you can see that the document is password protected, as well as various document properties like when it was created, last modified, and the author(s).

To do that, click on “Protect Document”, remove the password, click “OK”, and then save the document:

remove password

Scanning the document again shows it is a “Microsoft Word 2007+” document file using the Office Open XML (OOXML) file format. Because it’s a XML-based file, we can unzip it and look at the contents:

unzip resume

Unzipping the file allows you to see the contents, including the images (image1.png and image2.png) used within the document. Also, embedded macros in XML-based Office documents are typically store in a binary file named vbaProject.bin, which we can see in the “word” directory.

Using strings we can quickly examine vbaProject.bin for any interesting ASCII strings:

strings vbaProject.bin show download location

As you can see from the image above, strings found the command and URL used to download the malware payload.

An even better option for this scenario would be to use

olevba output is handy tool because it gives analysts a table summarizing risky keywords that were found within the file. Another good option would be to use

Now, getting back to examining the file from the perspective of the victim… After entering the password and clicking “Enable Content” the victim’s host would make a HEAD request, followed by a GET request, for the malware payload:


You can see that the User-Agent is “Microsoft BITS/7.8”, confirming the bitsadmin tool was used to download the file. The malware payload is downloaded from the remote server and saved to %AppData% as “taskwgr.exe”.

Payload in %AppData%:


Process tree during the infection:

process tree

Additional information about some of the processes:

  • cmd.exe (PID: 4832) creates process conhost.exe (PID: 2420)
  • cmd.exe (PID: 4832) creates process bitsadmin.exe (PID: 3432)
  • svchost.exe (PID: 888) renames file C:Users[removed]AppDataRoamingBIT1F3F.tmp to C:Users[removed]AppDataRoamingtaskwgr.exe
  • bitsadmin.exe (PID: 3432) kills its own process
  • cmd.exe (PID: 4832) creates process taskwgr.exe (PID: 4600)
  • taskwgr.exe (PID: 4600) creates child process taskwgr.exe (PID: 5656)
  • cmd.exe (PID: 4832) kills its own process
  • taskwgr.exe (PID: 5656) creates file C:Users[removed]AppDataRoamingMicrosoft[GUID]taskwgr.exe
  • taskwgr.exe (PID: 5656) sets autostart registry key HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunchrome
  • taskwgr.exe (PID: 5656) creates file C:Users[removed]AppDataRoamingMicrosoft[GUID]

A copy of the malware in %AppData%Microsoft[GUID]:

roaming microsoft

Persistence mechanism:


The sample never encrypted files in my virtual lab but did encrypt files on a physical host (not mine). However, I didn’t have the time to do any further analysis so I can’t confirm how it’s detecting my virtual sandbox.

When the process is complete the desktop background will be changed to a green text message over a black background (the images below were borrowed from the Internet):


While encrypting the system, Sigma ransomware creates ransom notes named ReadMe.txt in each folder that a file was encrypted.

Below is an image of ReadMe.html:

Sigma ransomware page:

Signa ransomware machine GUID


SHA256: 55f497f3728c57d284bd710bb517d6d2c56f0a6cc2248cfaf649294655abc1bc
File name: Resume.doc
Hybrid-Analysis Report

SHA256: cbbb8b1b14b3df9d331ece7167ca9ab2b7da61839742a107142016d8d9c6f8e8
File name: taskwgr.exe
Hybrid-Analysis Report

Network-Based IOCs
  • – – HEAD and GET – /email.bin
  • – – GET /json – NON MALICIOUS
  • yowl2ugopitfzzwb.onion


The password is “infected”

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: