Malicious .iso Attachments

Published: 2017-07-21
Last Updated: 2017-07-21 22:23:02 UTC
by Didier Stevens (Version: 1)
0 comment(s)

We've been informed of recent malware campaigns that deliver .iso attachments (.iso files are CD/DVD images). These .iso files contain a malicious executable.

Since Windows 8, Windows will automatically mount .iso files when they are opened. Like this, these .iso files are like .zip files with malware.

Here is an example of an email with .iso attachment:

This email file can be analyzed with emldump:

Part 5 contains the attached .iso file (Quotation-0568.iso), and can be extracted like this:

There are several methods to analyze .iso files, even with Python. Here we will use 7-Zip:

The executable can be extracted like this:

It is indeed a PE file:

Didier Stevens
Microsoft MVP Consumer Security

Keywords: iso malware
0 comment(s)


Diary Archives