Skip to content

Trending tags

Spam Trends: Top attachments and campaigns

Noora Hyvärinen

08.05.19 3 min. read

Malware authors tend to prefer specific types of file attachments in their campaigns to distribute malicious content.  During our routine threat landscape monitoring in the last three months, we observed some interesting patterns about the attachment types that are being used in various campaigns.

In February and March, we saw huge spam campaigns using ZIP files to send out GandCrab ransomware, and  DOC and XLSM files to distribute Trickbot banking trojan. In the same time period, we saw a similarly large campaign targeting American Express, and a ‘Winner’ scam, both using PDF file attachments.

We also noticed a new trend of disc image files (ISO and IMG) being used to spread malware, with a few small campaigns distributing AgentTesla InfoStealer and NanoCore RAT.

To give some background or context, our spam feeds show that malware authors do use a variety of attachment types:

When we view the feeds as a time chart however, it’s clear that ZIPs, PDF, and MS office files such as DOC and XLSM file attachments were more commonly used in huge spam campaigns.

ZIP files deliver GandCrab ransomware

In February and March, there were huge spam campaigns using ZIP files to deliver GandCrab ransomware. The files were designed to appear to be sending a photo to someone.

The ZIP contains a obfuscated JavaScript downloader, which executes a PowerShell script that downloads and executes the GandCrab ransomware binary.

If the payload is successfully downloaded and executed, it then encrypts the victim’s machine and displays a ransomware note:


DOC and XLSM files deliver Trickbot

In March, there were also huge spikes in spam campaigns using DOC and XLSM files to deliver Trickbot – a modular banking trojan that is also capable of delivering other payloads we’ve been seeing before.

The office doc attachments contain a malicious macro which downloads and executes the payload using bitsamin tool.

On successful download and execution, the Trickbot sample starts execution and creates modules on the victim’s machine:

PDF files used for phishing targeting American Express

One of the highest spikes in the graph that used PDF is a phishing campaign targeting American Express during March.

When the PDF file is opened, it shows a link that leads the user to a “secure message” pretending to be from the American Express Business Card Customer Security Team.

The link leads the victim to a shortened URL ( from GoDaddy – a trick many other phishing campaigns have been using to steal banking credentials. A recent example from another campaign using the similar shortened URL is a phishing link targeting Bank of America.

PDF files used for ‘Winner’ scam 

The second-highest campaign that uses a PDF file attachment is a “Winner” scam from Google as shown below:

The scam asks the victim to provide personal details such as full name, address, country/nationality, telephone/mobile number, occupation, age/gender, and private email address.

(Newly rising players) ISO and IMG: AgentTesla and NanoCore RAT

Though it does not produce the spikes in certain file types seen in the spam campaigns mentioned above, since July 2018 we’ve also noted an increasingly popular trend of attackers using disc image files to deliver malware. We have seen campaigns using this technique delivering AgentTesla InfoStealer and NanoCore RAT.

Interestingly, we also have seen a recent spam campaign delivering two types of attachments: A malicious office doc and ISO image file – both installs an AgentTesla infostealer.

The malicious doc will execute a macro to download and execute the payload.

While the ISO file contains the malicious binary inside.

Regardless of which of the two attachment types the victim chooses to open, either will install AgentTesla – an infostealer that is capable of collecting the victim’s system information and credentials from popular installed software such as browsers, email clients, and ftp clients.

F-Secure customers are protected as we block all the detected threats even at early stages of infections by DeepGuard.

Indicators of Compromise (SHA1s)



American Express Phishing:

Google Scam:



Noora Hyvärinen

08.05.19 3 min. read


Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.