{
	"id": "0a17372a-2aac-42b6-b412-2ea960c72a77",
	"created_at": "2026-04-06T00:08:35.194652Z",
	"updated_at": "2026-04-10T03:20:22.427508Z",
	"deleted_at": null,
	"sha1_hash": "fff144a2e88127bd368a2b785f4e6442a844c0ca",
	"title": "Buer Loader Found in an Unusual Email Attachment",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 116182,
	"plain_text": "Buer Loader Found in an Unusual Email Attachment\r\nBy VIPRE Labs\r\nPublished: 2021-03-18 · Archived: 2026-04-05 19:45:07 UTC\r\nThe COVID-19 pandemic has resulted in people ramping up online activities working from home, online shopping and\r\nrelying more on online services. Recently, we came across a spam email lurking in the wild. This spam email is disguised as\r\na known logistics company and has an unusual attachment. Malicious attackers trick the victim into believing that the email\r\nis legitimate by using a legitimate domain in the sender’s email address. The content is also properly constructed and also\r\nuses a known logo making it difficult to spot that it is a malicious email.\r\nFigure 1.0 Spam email with .jnlp attachment\r\nFigure 1.0 Spam email with .jnlp attachment\r\nAs threats become more prominent, we should always be cautious. These are some indicators that will show that this email\r\nis suspicious and not legitimate:\r\nFigure 2.0 The email header\r\nFigure 2.0 The email header\r\nChecking the email header, we can see that the “received from” which is in the green box in Figure 2.0, didn’t match\r\nwith the “from” field (the visible sender of the email). The “received from” data is the most reliable and it is where\r\nwe can see the real sender of the email. Upon researching, the domain in the “received from” header is not related to\r\nDHL. With this, the email header is forged.\r\nAn Additional checker is the Received-SPF: softfail. It says that the “domain of DHL.COM does not designate\r\n45.88.105.192 as permitted sender”. Upon checking, the IP address 45.88.105.192 in the “received from” is not also\r\nrelated to DHL.\r\nThe attachment of the email is a .jnlp file is a Java Network Launch Protocol which is an unusual attachment for an\r\nemail.\r\nAnalyzing the attachment\r\nWe will now proceed on the analysis of the jnlp file attachment that has a filename “invoice.jnlp”. We said earlier that .jnlp\r\nstands for Java Network Launch Protocol, that’s used for launching java applications from a hosted web server on a remote\r\ndesktop client. Checking the jnlp file, we can see that the file will download invoice.jar from a web server\r\nhxxp://invoicesecure[.]net/documents when executed.\r\nFigure 3.0 The jnlp file\r\nFigure 3.0 The jnlp file\r\nThe downloaded file is an invoice.jar file which is a Java Archive file. When we tried to launch the file it will show this\r\noutput:\r\nFigure 4.0 The error message upon launching invoice.jar\r\nFigure 4.0 The error message upon launching invoice.jar\r\nWith this message, the victim will think that it was an error and will ignore the file. But upon analyzing the invoice.jar, we\r\nfound out that this message is just a decoy. The attackers just made this technique to trick their victims and make the\r\nmalware run without suspicion. Based on its code after showing an error message, it will start to read the data from\r\n“hxxp://invoicesecure[.]net/img/footer[.]jpg” and saved it as “C:\\ProgramData\\drvr32.exe”. Then use\r\nDesktop.getDesktop().open() to open drvr32.exe.\r\nFigure 5.0 The decompiled invoice.jar\r\nFigure 5.0 The decompiled invoice.jar\r\nFigure 6.0 The HTTP GET Request once invoice.jar was executed\r\nFigure 6.0 The HTTP GET Request once invoice.jar was executed\r\nhttps://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/\r\nPage 1 of 4\n\nThe Buer Loader\r\nThe malicious downloaded file was named “drvr32.exe” and disguised as a legitimate xls viewer application:\r\nFigure 7.0 Disguising as a legitimate file\r\nFigure 7.0 Disguising as a legitimate file\r\nThis file was identified as a type of a malware loader known as Buer Loader. This loader was first seen in 2019 and\r\ncommonly distributed through malicious spam email campaigns.\r\nFigure 8.0 The buer loader\r\nFigure 8.0 The buer loader\r\nWhen executed, it will first create its installation folder “zsadsadsad” at the Startup folder and create a copy of itself in\r\n%AppData%. The created folder “zsadsadsad” contains LNK shortcut file. We decoded the LNK file to analyze all the\r\navailable information it contains and we found out that it will link to the created copy.\r\nFigure 9.0 The installation folder zsadsadsad and the lnk shortcut file\r\nFigure 9.0 The installation folder “zsadsadsad” and the lnk shortcut file\r\nFigure 10.0 The decoded information of LNK file linking to the created copy\r\nFigure 10.0 The decoded information of LNK file linking to the created copy\r\nThroughout our analysis, we found out that this loader has an anti-analysis. It will check if the following DLLs are existing\r\nin the place where the malware is running:\r\nFigure 11.0 The DLLs to check\r\nFigure 11.0 The DLLs to check\r\nAs per checking, some of the checked DLLs above are related to anti-virus and debuggers.\r\nThen, it will call functions like GetCurrentHwProfileA, GetComputerNameW, and GetVolumeInformation to collect the\r\ninformation of the infected machine. The collected information will be combined in an allocated memory and will be\r\nformatted using wsprintfw function.\r\nFigure 12.0 Routine for formatting the collected information\r\nFigure 12.0 Routine for formatting the collected information\r\nFigure 13.0 The formatted string of victim's machine information\r\nFigure 13.0 The formatted string of victim’s machine information\r\nAfter this, it will call other functions to retrieve more information of the infected machine and to use these information for\r\nthe malware’s next actions:\r\nRtlGetVersion\r\nGetNativeSystemInfo\r\nGetComputerNameW\r\nGetDriveTypeA\r\nGetDiskFreeSpaceExA\r\nGetUserNameW\r\nNetWkstaGetInfo\r\nAll of the other retrieved information will be combined to the formatted string above and the output is this:\r\ncb9f1daacc0545c0e5bf0c67ead614d24884570889cf7435572fa55e134b1012|bc31re1bs5a8d1fc4ddb3cc4b75594c31b8c00de3fdfa31fgg1ad15e8\r\n7|x32|1|User|WIN-SPF5F5SH244|14/59|WORKGROUP|test|0 \r\nThen, this output will be formatted again using wsprintfw function and the result is this:\r\nFigure 14.0 The 2nd round formatting of string of the victim's machine information\r\nFigure 14.0 The 2nd round formatting of string of the victim’s machine information\r\nhttps://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/\r\nPage 2 of 4\n\nAfter retrieving and formatting the needed information of the victim’s machine, Buer Loader will make it to a base64 string:\r\nFigure 15.0 Converting to base64 string\r\nFigure 15.0 Converting to base64 string\r\nDigging deeper into our analysis, we encountered InternetOpenA function to initialize a use of the WinINet functions. Then,\r\nit will try to open an http session to “verstudiosan[.]com” using InternetConnectW function.\r\nFigure 16.0 Opens an HTTP session\r\nFigure 16.0 Opens an HTTP session\r\nIt has GET method to download additional malware and POST method to send the collected victim’s machine information to\r\nthe server:\r\nFigure 17.0 HTTP POST Request method\r\nFigure 17.0 HTTP POST Request method\r\nFigure 18.0 Sending the specified request\r\nFigure 18.0 Sending the specified request\r\nWe searched the domain and found out that this domain was just recently created. We also learned that this domain is no\r\nlonger reachable and possibly just used for malicious activity.\r\nFigure 19.0 The recently created domain\r\nFigure 19.0 The recently created domain\r\nFigure 20.0 Unreachable server\r\nAttack Flow\r\nAttack Flow\r\nVIPRE detects and prevents this kind of malware and associated infections.\r\nIOCs:\r\nThe Spam Email\r\n66f13fa2c9e34705bbbc4645462188ca57c0fdc3a17418c96c0ed9371055f3bc\r\nJNLP File\r\n368b409080e9389b342e33a014cd7daf3fd984fdc2b0e5ecc8ac4d180759a1c4\r\nJar File\r\n064fe7ef429f373d38813a05c9d2286a86337c1fc1b12c740b729f1f76de1811\r\nPE File\r\ndbdc38dee1c9c9861a36cf6462dca55dcef6c1f128b2270efd99d4347568292c\r\nMalicious website\r\nverstudiosan[.]com\r\nhxxp://invoicesecure[.]net/documents\r\nAnalysis by #Farrallel\r\nhttps://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/\r\nPage 3 of 4\n\nSource: https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/\r\nhttps://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/"
	],
	"report_names": [
		"buer-loader-found-in-an-unusual-email-attachment"
	],
	"threat_actors": [],
	"ts_created_at": 1775434115,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fff144a2e88127bd368a2b785f4e6442a844c0ca.pdf",
		"text": "https://archive.orkl.eu/fff144a2e88127bd368a2b785f4e6442a844c0ca.txt",
		"img": "https://archive.orkl.eu/fff144a2e88127bd368a2b785f4e6442a844c0ca.jpg"
	}
}