Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Archived .vbe attachments in malspam SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Archived .vbe attachments in malspam
Here's a recent email conversation I thought I'd share:

From: [redacted]
Sent: Tuesday, August 4, 2015 18:48 UTC
Subject: Sample

Hi Brad - I'm a huge fan of the research you do and follow you on twitter.

Interested in a sample that we received today? Looks like a .zip file but I believe it is actually a .vbs or other format....

Have you seen anything like it? We block .zips but this sailed right through. Here's a screenshot:



NOTE: The gif shows a screenshot of an email (can't share the details) with a .zip attachment,

Sent: Wednesday, August 5, 2015 02:13 UTC
To: [redacted]
Subject: RE: Sample


Thanks for the email! Yeah, I've seen a few zipped (or otherwise archived) Visual Basic files sent through malspam. Here are some tweets about it I can remember off the top of my head:

2015-07-22 -…
2015-07-27 -…
2015-08-05 -…

It's probably just another trick to evade the malware filters through the email.

Concerning your sample, I haven't noticed that particular theme before, but it fits the profile for this type of malspam. The archived attachments are quite small--anywhere from 4 to 8 KB.

The .vbe-based malware are file downloaders. I've seen both .vbe and .js files sent this way, usually archived in ZIP format, but today I saw a .vbe downloader archived using RAR.

Hope this helps. Thanks again for the info. It's always interesting to see what others are finding.


Brad Duncan
Security Researcher
Rackspace Information Security Operations Center (ISOC)
San Antonio, Texas, United States
Company website:
Personal blog:

374 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!