In October 2025 phishing email attachments were dominated by Trojans (47%), with notable use of document OLE downloaders and compressed JS files distributing malware like Remcos RAT. The report highlights Korean-language phishing campaigns, attachment-format case analyses, and provides example MD5 hashes for malware samples. #Remcos
Keypoints
- Phishing email attachments in October 2025 were primarily Trojans, accounting for 47% of threats.
- Analysis covers distribution changes by category and attachment extension trends over the past six months.
- Korean-language phishing emails were identified and cataloged with subjects and attachment names to reveal common keywords.
- Document attachments used OLE objects to download additional malware, ultimately executing Remcos RAT.
- Compressed archives (RAR) containing JS files increased as a distribution method for malware in phishing emails.
- The report includes case analyses for representative attachment formats: Script, Document, and Compress.
- Examples of MD5 hashes for observed samples are provided for further investigation.
MITRE Techniques
- [T1204] User Execution – Malware relied on users opening attachments or executing downloaded payloads (“when the document file is executed … an OLE object inside the file downloads additional malware”).
- [T1124] System Time Discovery (indirect use) – Document OLE and script behaviors imply environment checks before payload execution (“an OLE object inside the file downloads additional malware, and when this malware is executed, the Remcos RAT malware is run”).
- [T1105] Ingress Tool Transfer – Additional malware was downloaded by an OLE object embedded in a document (“an OLE object inside the file downloads additional malware”).
- [T1203] Exploitation for Client Execution – Use of document OLE object to trigger download and execution of further malware (“an OLE object inside the file downloads additional malware”).
- [T1566] Phishing – Distribution of phishing pages via email and attachment-based delivery of malware, including FakePage and Remcos distribution (“phishing emails distributing a phishing page and Remcos RAT malware”).
- [T1027] Obfuscated Files or Information – Use of double extensions and compressed JS in RAR archives to disguise malicious files (“malware that prompt users to execute them by using a double extension” and “JS files are compressed in RAR and distributed”).
Indicators of Compromise
- [File Hashes] MD5 hashes of observed samples – 00aa005a548d5da968b700401382eec0, 016db2dd7c199a364d688083dbfc39c8, and 3 more hashes.
- [Malware Name] Context of distribution – Remcos RAT (delivered via document OLE downloader).
- [Attachment Types] File formats used in phishing emails – Document attachments with OLE objects, RAR archives containing JS files.
- [Language Context] Regional targeting – Korean-language phishing emails (cases include Korean email bodies, subjects, and attachment names).
Read more: https://asec.ahnlab.com/en/91060/