Last Updated: 2017-07-21 22:23:02 UTC
by Didier Stevens (Version: 1)
We've been informed of recent malware campaigns that deliver .iso attachments (.iso files are CD/DVD images). These .iso files contain a malicious executable.
Since Windows 8, Windows will automatically mount .iso files when they are opened. Like this, these .iso files are like .zip files with malware.
Here is an example of an email with .iso attachment:
This email file can be analyzed with emldump:
Part 5 contains the attached .iso file (Quotation-0568.iso), and can be extracted like this:
The executable can be extracted like this:
It is indeed a PE file: