{
	"id": "3895ae64-3877-4537-905f-71da7a04797b",
	"created_at": "2026-04-06T00:12:18.697099Z",
	"updated_at": "2026-04-10T03:20:31.177708Z",
	"deleted_at": null,
	"sha1_hash": "b4c2c4d66d78732fba1f39370fbd00663086cfeb",
	"title": "Fake Purchase Order Used to Deliver Agent Tesla | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1328488,
	"plain_text": "Fake Purchase Order Used to Deliver Agent Tesla | FortiGuard\r\nLabs\r\nPublished: 2022-03-07 · Archived: 2026-04-05 20:09:42 UTC\r\nSince the dawn of phishing, fraudulent invoicing and purchasing schemes have been one of the most common\r\nlures. The usual modus operandi involves appealing to the recipient’s desire to avoid incurring a debt, especially\r\nwhere a business may be involved.\r\nFortiGuard Labs recently came across an interesting phishing e-mail masquerading as a purchase order addressed\r\nto a Ukrainian manufacturing organization that deals with raw materials and chemicals. The e-mail contained a\r\nPowerPoint attachment that is in reality a sophisticated, multi-stage effort to deploy the Agent Tesla RAT (Remote\r\nAccess Trojan).\r\nWhat makes this campaign unique is the usage of PPAM, which is a file format that is not very common. A PPAM\r\nis a Microsoft PowerPoint add-in that gives developers extra functionality, such as extra commands, custom\r\nmacros, and new tools. This blog will detail the infection process and subsequent malware deployment.\r\nAffected Platforms: Windows\r\nImpacted Users: Windows users\r\nImpact: Compromised machines are under the control of the threat actor\r\nSeverity Level: Medium\r\nExamining the phishing e-mail\r\nLike so many computer-based attacks, this one began as a phishing e-mail sent to an organization in Ukraine.\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 1 of 16\n\nFigure 1. E-mail to the target recipient.\r\nSpelling and grammar issues aside, like most good phishing campaigns this one provides a time sensitive\r\nstatement urging the recipient to urgently review the attached order.\r\nLooking deeper at the e-mail and where it came from, we can see some additional information in the headers.\r\nFigure 2. E-mail headers showing the origin of the message.\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 2 of 16\n\nFigure 2b. Parked page.\r\nThe e-mail originated at an address of 194[.]99[.]46[.]38 that corresponds to slot0.warongsoto.com. This is\r\nhosted on a run-of-the-mill VPS server. Visiting the server, we noticed that the site states that the server control\r\npanel is controlled by VESTA. Recent CVE data highlights that Vesta Control Panel is affected by remote\r\ncommand execution and elevation of privilege vulnerabilities that ultimately allow for full compromise of the\r\nsystem (CVE-2020-10786 and CVE-2020-10787).\r\nThe domain itself appears to be either abandoned or at least unused with no active content hosted. It was\r\nregistered in the United States in October 2021.\r\nThe originating e-mail address does not appear to reference an actual individual and a search for other instances of\r\nthis being used elsewhere came up empty.\r\nExamining the dropper – stage 1\r\nPhase 1\r\nDropping the final payload occurs in multiple phases, making this, in actuality, a very complex operation. As\r\nshown in Figure 1, attached to the e-mail is the file “order001.ppam”. This is an add-in file format used by\r\nMicrosoft PowerPoint that, in this case, contains a malicious macro that acts as a dropper for Agent Tesla.\r\nThe first phase of stage 1 begins with opening the PPAM attachment to activate the macro contained within.\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 3 of 16\n\nFigure 3. Visual Basic macro contained within “order001.ppam”.\r\nOnce the macro is executed, it will reach out to the URL shortener Bit.ly to download the next phase of the\r\ndropper. The address used is: hXXp://www[.]bitly[.]com/awnycnxbcxncbrpopor/\r\nPhase 2\r\nThe call out to Bitly will be redirected to a location on MediaFire – a file hosting site\r\n(hXXp://download2261[.]mediafire[.]com/6lcqxbws032g/wctsdmx4dsh95xs/19.htm). As possibly inferred, this\r\nwas a campaign and not simply directed at one recipient. There were multiple files made available over several\r\ndays, as shown below in Figure 4.\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 4 of 16\n\nFigure 4. MediaFire repository showing multiple other files from this campaign.\r\nEach of the files is very similar (with minor tweaks) to the download location of the next step. Figure 5, below,\r\nshows 19.htm as it appears if downloaded directly. \r\nFigure 5. HTM file as it appears when downloaded.\r\nIf we arrange the file into a more readable format, we get a better sense of what it’s trying to do.\r\nFigure 6. Key part of the HTM file.\r\nAs seen in Figure 6, the file attempts to taskkill several applications and services followed by adding a scheduled\r\ntask into the Windows Task scheduler. The script then attempts to download and execute another file from\r\nMediaFire - hXXp://www[.]mediafire[.]com/file/otza6n31talvvle/19.dll.\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 5 of 16\n\nPhase 3\r\nWhile the file extension gives the impression of a Microsoft dynamic link library (.dll), 19.dll is in actuality a\r\nPowerShell script containing instructions in a large amount of hexadecimal data.\r\nFigure 7. HTM file as it appears when downloaded.\r\nOnce executed, the hexadecimal data will be transformed into additional PowerShell commands that will run in\r\nmemory. For example, new registry keys will be added to assist with persistence.\r\nFigure 8. Added entries to the Windows Registry.\r\nIf captured and reviewed, the entries that stand out the most are two large, compressed byte arrays — $nona and\r\n$STRDYFUGIHUYTYRTESRDYUGIRI.\r\nFigure 9. Large byte arrays.\r\nAs can be seen in Figure 9, the byte arrays are then decompressed for use. Once decompressed, these can be saved\r\nas executable Windows files. $nona is the larger of the two and is Agent Tesla.\r\n$STRDYFUGIHUYTYRTESRDYUGIRI will inject Agent Tesla into a running Windows process.\r\nRenaming 19.dll to 19.ps1 allows it to be executed as a normal PowerShell script. With this particular sample, it\r\nwill attempt to launch and then inject Agent Tesla into the aspnet_compiler.exe application.\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 6 of 16\n\nFigure 10. On the left, the PowerShell script can be seen to be launching aspnet_compiler.exe\r\nExamining the malware – stage 2\r\nAt its core, Agent Tesla is a keylogger and RAT (Remote Access Trojan). It will take any results captured from the\r\nkeyboard and clipboard and send them back to its C2 (Command and Control) server. In this instance, once\r\ninjected into the aspnet_compiler.exe process Agent Tesla will be up and running. With entries in the registry it\r\nwill have persistence to run even if the host machine is rebooted.\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 7 of 16\n\nFigure 11. Agent Tesla running inside a debugger.\r\nAs can be seen in Figure 11, this variant is similar to one FortiGuard Labs has analyzed  previously.\r\nFrom this point, it will run in the background and observe the user, recording their actions and sending them back\r\nto the threat actor.\r\nFigure 12. Typical connection cycle to Agent Tesla’s C2.\r\nConclusion\r\nThreat actors for the most part like to use lures that are tried and true, as was the case here with the invoicing\r\nphishing e-mail, because they continue to enjoy success. The dropper attached to the phishing e-mail shows the\r\ncontinuing evolution and complexity required to evade modern security controls combined with the need to\r\ntraverse several gates to arrive at the release point for the final payload.\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 8 of 16\n\nOnce finally deployed to a system, the ability to obfuscate and hide inside everyday files and processes proves that\r\nAgent Tesla is a very capable and formidable threat. Unfortunately, this trend towards increasing sophistication is\r\nunlikely to abate any time soon.\r\nFortinet Protections\r\nFortiMail’s integrated antivirus, sandbox, and content disarm and reconstruction (CDR) functions detect and\r\ndisable this malicious attachment. The FortiGuard Antivirus service detects and blocks this threat as:\r\nVBA/Agent.GBX!tr\r\nJS/Agent.YHB!tr\r\nPossibleThreat.PALLAS.H\r\nThe domain warongsoto.com is blocked by the Web Filtering client. \r\nIOCs\r\nSample SHA-256:\r\nDLL/PS1 SHA256\r\n27C7F5F2A21298C66A8EEF11DF73BFB1E9EEF7B84974CEF9AF695A7E216EFA21\r\nF86FDC385BA4467FD27093DFB6A642C705199AC3307D24096D7150FB6A80E8FD\r\n9971EE4C59F1838C111CFAA0BC26A6C08B80FD7364C193F6D8DCA1A840D37B7F\r\nD147E24E603FB17CE3C6EC839CC8AD07BCE06455037CC0E139CC68042153B7A7\r\n7659EC63CF7010158517AD0DFD3828F8B46592BDBC374D906BACD80A8500DA4B\r\nD98D56AEB0A3DBD020C1F6ED9CFE0848A4D8C57DABBB064FBCD0305BDF8B329C\r\n4FD01BF61C49579A40EFDD86D736930585AB3E79D9085177303DDCFF61480E26\r\n7384900E7BB02B1028D92A145CBE2BDB5E3283336C0E5E6014AFCD546B17B985\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 9 of 16\n\nEFDFD9CCDFB052FD7693403D1E8E085594C1B3B7ED221FD6021F794B5BA752C5\r\n90313F269F0583FBC179BEABAE2A48B1B53594F1FB4A27556861D5D82AD722EC\r\n3C1636CF2A4296840D55A8BAF9ABB56E1C847C5D6E3A7DF0D7040050D017E54C\r\nEC9E8CB17C92C4D6175FB3E715F73C4BEF833742168451398A99DE22F06FB52E\r\n87B7F2C05F3E63821DE8AD22EE7ED9CA034CD61332EBAE3E1F76AF085696D5F8\r\nB5CF3D2594E148C458467C833B0D95976480FB054A7763E1F6DCF4187A61E1BE\r\n0C3F881258EF9F1DB9A9923945AB07351DA8BA1A337AACCBCB6B5BD56AE080B3\r\n3B9D6FC6449B7B42E816A19C2B649A5E5CF4E724B2FCD93E56445DECA89FB850\r\n34CFFA6664C92F77EE60749E251A4ED18A15A3F0F61C78BCADA9EA86478681E0\r\n380C8FC86237A6B847F40870E9A15ADA1914F25174FF40838604354389EF9540\r\nB8403149F7A6E0FCCCB9C6E793BDCE7431385F86174D80B0C65F89A9C948A47F\r\nD7E76887903EBD361112531017E140D2BFAAA816598C648F3B1238DCC6906BF1\r\nCB758A93876ACD5F7A314FDA6CCB97D0FC115ABFFF7F22637B629B1E91CF1970\r\nF3D9873EE798BF649A22C50E3DAEEBADFC127A405C0D8F54266B66C4377901E0\r\n1BD2383346BF8B1924C179B1616AF56A2BC4248717329B90E01FF13DB45ABE4F\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 10 of 16\n\n5DC6B8CC1E9D1EE535752E6C5320280F864EA660B5BF8657F96B8E2B1053C57A\r\nFA37BD017B82C1F7C545475F7A0CD786F81BC2CC024DA46CBDB4071B22ED4FFB\r\nFileless Tesla SHA256\r\nF69B85F5763CEC5A5DA5CE1152038FFEEF7A2A75600003ADBFEB3DC87502C8A8\r\nB409FF4CD1B8F18E80AFA98B3306440391FB5CBE294E6DA14E8146F63ECA2C6C\r\n34EEEDAB0ABBEB1BAFFCCFDAEF74E54A7786F24BC5024B2F23A6F9385FEC9917\r\n6449D03A519CAB4B7C4E19D53D57A16AE69B70D7DF6BE815BCB57DC7395AB991\r\nE77DCCCB70AD61D50AC7E8C5DA1F79D5BC22B1F42A6651252EB449241BD6068B\r\nC7840150DC084B1E0F6961EC61C39793BBED40FE17A7E24124DFE07F2C1A7B40\r\nF4542569E3F54CBC93AB835567507242DDDCAE2A84743DA103332EEFF3501ABD\r\n851CC3973B096C8DA88E1EDB568C17750D019CA7F2528B3DA933D33D7F306A46\r\nC0C3A9CBDC769F3B86EAB40A9032769FE61E5E9B93CE7A93A0CC02EF43D4B9B5\r\n256F7CC33E3E359427702FF79E59C5EEA73164CC74D96B6F24E6BE19B62500E7\r\n445E6D6EBA924CC86005C107F329B248997AAC4149FBBD540A656FBA50A68C19\r\nD321AF1AF7D8B0A19B87897938B23ADB57C9089B73F2C15E0E2747B0071D1715\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 11 of 16\n\n822F2266CA284C5318E75C1286F7B4ED746E9289323B57462E227ED8D4D1AC8F\r\n399B6B1AED4B62C165FE074DD9A43DEC0F0E1D5A50C89BFCA4A902CBFDBC17D5\r\n6BCDC49281217C3D8A82ED29A6BC89154885B08954AC3F78FA11BB09BF34A109\r\n1DF27F8D8B8572CB76D7275D7FE686C88F4297DA39095C1399B1E55459DFFDF6\r\n49BF5F9D59C27291FCB0D9F0C593DCB00CA9705E5D294E9C55353BDEFBC37273\r\nA155AB7DB6D22A44487D909BB040F5300B6E24283CDB7D7D902E7CE5CDD533BB\r\nFD210DFB8C2F3B33FEEE191608EF58DD2816F08E9850DB734143115BA199690E\r\n5F53A249455BB903C2C57A5CE23BFA6D069966034F74947A70037DEB1459DC88\r\nAD3BE25985B1DFA0A72C7CE59365F2AE7142FB4B2A78B7905D10AEB13998DDD4\r\n9783473EFECA3003D6A1B8DB8FE0E1A8AA291F170110D974C058806A25B4C419\r\nB1043F48E99EF5B98F4987E1FFD3200CD6A32B3427BA2762310FDEA58934D95C\r\n3E99AA348FAFFDF2D73867C47067EA17A96CA36E5329E30C3A37F45B4274D165\r\n0ABBD4F17EC6DEDEFA188E39501B923286C56627ACB87FEC73271E459A383D0D\r\nFilename SHA256\r\nOrder001.ppam DCA3AC723A130E56FB158C34C68E1C4B7D8577D0DBE9D8B859BFFF7ADA34D02E\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 12 of 16\n\nLoader 4C0E2CB721585C480169B3804E17E2761BC5FE76584CF1375FCCDB33CA64D5A5\r\nNetwork IOCs:\r\n192[.]154[.]226[.]47\r\nhxxps://www[.]mediafire[.]com/file/s2w0i5rhl9e4wje/1.dll\r\nhxxps://www[.]mediafire[.]com/file/u8t0g2vyrvoyldp/10.dll\r\nhxxps://www[.]mediafire[.]com/file/hheln09oi15b266/11.dll\r\nhxxps://www[.]mediafire[.]com/file/mra2u90srnmymxl/12.dll\r\nhxxps://www[.]mediafire[.]com/file/e7fmuc053m1vdz5/13.dll\r\nhxxps://www[.]mediafire[.]com/file/l3xh5g98wf5l4gv/14.dll\r\nhxxps://www[.]mediafire[.]com/file/5d7sd1qat59dtpy/15.dll\r\nhxxps://www[.]mediafire[.]com/file/2tpkh278oypz794/16.dll\r\nhxxps://www[.]mediafire[.]com/file/hjjo0rc7izwy4is/17.dll\r\nhxxps://www[.]mediafire[.]com/file/wy0e3mn2xyaqdhd/18.dll\r\nhxxps://www[.]mediafire[.]com/file/otza6n31talvvle/19.dll\r\nhxxps://www[.]mediafire[.]com/file/dsgxrjtpbyyzm7u/2.dll\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 13 of 16\n\nhxxps://www[.]mediafire[.]com/file/mf3pufkmdshddyq/20.dll\r\nhxxps://www[.]mediafire[.]com/file/ijdnf0wqv4e5frr/21.dll\r\nhxxps://www[.]mediafire[.]com/file/c9gt9xi3l9srlhi/22.dll\r\nhxxps://www[.]mediafire[.]com/file/pqk7p5p1vvcv5s1/23.dll\r\nhxxps://www[.]mediafire[.]com/file/mqbl43fcem1fndd/24.dll\r\nhxxps://www[.]mediafire[.]com/file/xz0guzs3g004f0i/25.dll\r\nhxxps://www[.]mediafire[.]com/file/qe4ece114vu4n0o/3.dll\r\nhxxps://www[.]mediafire[.]com/file/wbh1kq3u82mcso6/4.dll\r\nhxxps://www[.]mediafire[.]com/file/x0o4nlef7snbixu/5.dll\r\nhxxps://www[.]mediafire[.]com/file/xrnlyn4pjcmcfyf/6.dll\r\nhxxps://www[.]mediafire[.]com/file/qbzdrs7ulvvzfay/7.dll\r\nhxxps://www[.]mediafire[.]com/file/9q41qxg988c3opx/8.dll\r\nhxxps://www[.]mediafire[.]com/file/xxbskabqkber6oq/9.dll\r\nMitre TTPs\r\nResource Development\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 14 of 16\n\nStage Capabilities: Upload Malware T1608.001\r\nInitial Access\r\nPhishing: Spearphishing Attachment T1566.001\r\nExecution\r\nCommand and Scripting Interpreter: PowerShell T1059.001\r\nUser Execution: Malicious File T1204.002\r\nPersistence\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001\r\nDefense Evasion\r\nProcess Injection: Portable Executable Injection T1055.002\r\nReflective Code Loading T1620\r\nCredentials Access\r\nCredentials from Password Stores: Credentials from Web Browsers T1555.003\r\nInput Capture: Keylogging T1056.001\r\nDiscovery\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 15 of 16\n\nAccount Discovery T1087\r\nCommand and Control\r\nApplication Layer Protocol: Web Protocols T1071.001\r\nThanks to Val Saengphaibul who helped contribute to this blog.\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nhttps://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla"
	],
	"report_names": [
		"fake-purchase-order-used-to-deliver-agent-tesla"
	],
	"threat_actors": [],
	"ts_created_at": 1775434338,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b4c2c4d66d78732fba1f39370fbd00663086cfeb.pdf",
		"text": "https://archive.orkl.eu/b4c2c4d66d78732fba1f39370fbd00663086cfeb.txt",
		"img": "https://archive.orkl.eu/b4c2c4d66d78732fba1f39370fbd00663086cfeb.jpg"
	}
}