VERY IMPORTANT

Malware developers use a variety of distribution methods in order to confuse users and evade certain AV solutions. Recently, FortiGuard Labs found a phishing campaign targeting French Nationals. In this campaign, a PDF file with an embedded javascript is used to download the payload from a Google Drive shared link. As it turns out, the downloaded file is an HTA (HTML Application) file, a format that is becoming more and more common as a malware launch point. It is usually used as a downloader for the actual binary payload. However in this campaign, the binary payload, which was later found to be a NanoCore RAT client, is actually embedded in the obfuscated HTA. This way, the HTA effectively serves as a wrapper to try and slip passed traditional file type-based scanning in the network as well as anti-spam services.