{
	"id": "8a84d33c-0da3-487b-a680-0a706c8deafc",
	"created_at": "2026-04-06T00:16:56.892397Z",
	"updated_at": "2026-04-10T03:19:55.186243Z",
	"deleted_at": null,
	"sha1_hash": "578875edc840b4a89118869e9c2223db93f4dd70",
	"title": "What is the PowerSniff malware? - The Security Buddy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 278871,
	"plain_text": "What is the PowerSniff malware? - The Security Buddy\r\nBy Amrita Mitra\r\nPublished: 2017-03-09 · Archived: 2026-04-05 19:56:45 UTC\r\nWhat is the PowerSniff malware?\r\nPowerSniff is a malware program that is distributed to victims via spam emails with a Microsoft Word Document\r\nattachment. It uses some social engineering techniques to convince a victim to click on the attachment. When the\r\nvictim clicks on the Microsoft Word Document attachment, a malicious macro embedded in the file starts\r\nexecuting. The malicious macro infects the computer with malware.\r\nHow does the PowerSniff malware infect a computer?\r\nAt first, a victim gets an email with a Microsoft Word Document attachment. The majority of the emails contain\r\nspecific information about the victim’s company, like its physical address, phone number, etc. As a result, the\r\nvictim gets deceived easily, and the possibility that the victim will click on the attachment increases.\r\nWhen the victim clicks on the Microsoft Word Document, a malicious macro contained in the file starts executing.\r\nA Microsoft Word Document macro is a series of commands and instructions that can be grouped together as a\r\nsingle command to accomplish a specific task automatically.\r\nThis macro invokes the WMI service, which executes a hidden instance of powershell.exe. It checks whether the\r\nsystem is a 32-bit or a 64-bit machine. Based on that information, it downloads and executes another malicious\r\nfile on the system.\r\nThe downloaded file is a PowerShell script, which contains a shell code and is subsequently decoded and\r\nexecuted. This shellcode decrypts and executes an embedded payload.\r\nThe malware then performs a number of actions to determine a few information, like whether the system is\r\nrunning in a sandbox or virtualized environment and some specific information about the victim. The malware\r\nmainly tries to determine whether the victim works in any financial institution or the device is actively used in\r\nfinancial transactions. The malware seems to avoid a machine that is a part of a healthcare or educational\r\norganization. And, if the conditions are met, the victim’s machine is marked as interesting to the attackers.\r\nHow to prevent the PowerSniff malware?\r\nThe following prevention mechanisms can be taken to safeguard a user from falling victim to this malware:\r\nAs this malware relies on Microsoft Word Document macros, please ensure macros are not enabled in\r\nWord documents by default.\r\nIf you are not very sure of the authenticity of the source, please avoid opening any macros contained in the\r\nfile.\r\nhttps://www.thesecuritybuddy.com/malware-prevention/what-is-powersniff-malware/\r\nPage 1 of 2\n\nPlease avoid clicking on an email attachment if you are not sure about the sender of the email.\r\nI hope this helps. Interested readers who want to know more about how different malware and cyberattacks work\r\nand how we can prevent them may want to refer to the book “A Guide To Cyber Security.”\r\n \r\nSource: https://www.thesecuritybuddy.com/malware-prevention/what-is-powersniff-malware/\r\nhttps://www.thesecuritybuddy.com/malware-prevention/what-is-powersniff-malware/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.thesecuritybuddy.com/malware-prevention/what-is-powersniff-malware/"
	],
	"report_names": [
		"what-is-powersniff-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434616,
	"ts_updated_at": 1775791195,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/578875edc840b4a89118869e9c2223db93f4dd70.pdf",
		"text": "https://archive.orkl.eu/578875edc840b4a89118869e9c2223db93f4dd70.txt",
		"img": "https://archive.orkl.eu/578875edc840b4a89118869e9c2223db93f4dd70.jpg"
	}
}