New Phishing Emails Deliver Malicious .ISO Files to Evade Detection

Share Now


On May 22, 2017, PhishMe® received several emails with .ISO images as attachments via the Phishing Defense Center. ISO images are typically used as an archive format for the content of an optical disk and are often utilized as the installers for operating system. However, in this case, a threat actor leveraged this archive format as a means to deliver malware content to the recipients of their phishing email. Analysis of the attachments showed that this archive format was abused to deliver malicious AutoIT scripts hidden within a PE file that appears to be a Microsoft Office Document file, which creates a process called MSBuild.exe and caused it to act as a Remote Access Trojan. AutoIT is a BASIC-like scripting language designed for automating Windows GUI tasks and general scripting. Like any scripting or programming language, it can be used for malicious purposes.

The following details the indicators of phishing identified during this analysis and activity of the malicious payload.

Emails analyzed by the Phishing Defense Team were sent from sales{at} and included the subject line Purchase Order with sample pictures.

After the .ISO file is accessed, it reveals a PE file that masquerades itself as a Microsoft Word document. Once the PE file is executed, It then creates a process called MSBuild.exe which initiates the malicious AutoIT script. It then attempts to call out to hxxp://sima.sweed-viki[.]ru/panel/post.php

Once a connection has been established, it sends the following traffic via http:


PhishMe cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that contain subject lines as described above. PhishMe Triage™ customers may create a rule as described below to detect this threat.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe Threat Alerts today.

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.