# GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts **[bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts](https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/)** By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) February 8, 2018 03:12 AM 0 A new malspam campaign is underway that is pretending to be PDF receipts, but instead [installs the GandCrab ransomware on a victim's computer. This is done through a series of](https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/) malicious documents that ultimately install the ransomware via a PowerShell script. The start of the chain of events that lead to the installation of GandCrab is when a victim receives an email with a subject like "Receipt Feb-078122". These emails contain a PDF attachment with names like Feb01221812.pdf as shown below. **Malspam Pretending to be a Receipt** When a user opens this PDF, they will be shown a prompt that pretends to be a captcha asking the user to confirm they are human. ----- **Fake Captcha** When a user clicks on the captcha, the PDF file downloads a malicious word document. When opened, this document will contain the standard social engineering text that tries to convince the user to enable macros by clicking on the Enable Content button. **Malicious Word Document** ----- Once a user clicks on the Enable Content button it will trigger the malicious macro shown below. **Malicious Word Macro** This macro will launch a PowerShell command that downloads and executes a PowerShell [script from a remote site. As pointed out by security researcher Derek Knight, this script](http://myonlinesecurity.co.uk/fake-receipt-malspam-delivers-gandcrab-ransomware-via-pdf-dropping-macro-dropping-exploit-file/) specifically calls the PowerShell command in a folder that only exists on 64 bit versions of Windows. Therefore, those who are running 32-bit versions of Windows will be protected from this macro. The PowerShell that is executed by the Word document is seen below. **PowerShell Command** When the sct5 PowerShell script is executed, it will decode an embedded GandCrab executable and launch it. ----- **PowerShell Installer** Once launched, GandCrab will connect to the remote Command & Control servers and begin encrypting a victim's computer. As you can see, this all started simply by opening a malicious PDF contained in malspam. This is why it is very important to be careful not to open any attachments unless you confirm that they were actually sent by the sender. If the sender is not someone you know, then do not open it at all to be safe. For those who are infected with this ransomware, you can request help in our GandCrab Help & Support topic. Be smart and stay safe! **[Update 2/8/18 10:45 AM: Added information from Derek Knight about how the macro](https://twitter.com/dvk01uk)** calls the PowerShell command in a folder that only exists on 64-bit versions of Windows. ## Related Articles: [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [SpiceJet airline passengers stranded after ransomware attack](https://www.bleepingcomputer.com/news/security/spicejet-airline-passengers-stranded-after-ransomware-attack/) [US Senate: Govt’s ransomware fight hindered by limited reporting](https://www.bleepingcomputer.com/news/security/us-senate-govt-s-ransomware-fight-hindered-by-limited-reporting/) ----- [New RansomHouse group sets up extortion market, adds first victims](https://www.bleepingcomputer.com/news/security/new-ransomhouse-group-sets-up-extortion-market-adds-first-victims/) [Ransomware attack exposes data of 500,000 Chicago students](https://www.bleepingcomputer.com/news/security/ransomware-attack-exposes-data-of-500-000-chicago-students/) [GandCrab](https://www.bleepingcomputer.com/tag/gandcrab/) [MalSpam](https://www.bleepingcomputer.com/tag/malspam/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/new-magneto-and-odini-techniques-steal-data-from-faraday-cage-protected-equipment/) [Next Article](https://www.bleepingcomputer.com/news/security/wordpress-holds-epic-fail-week-devs-break-background-updates-ignore-zero-day/) [Post a Comment Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ## You may also like: -----