Malicious email with document attached

Aug, Thu, 2025
nathan
Industry News , Tech news

We are seeing a pretty significant spike in malicious spam email (“malspam”) using a relatively new technique that’s bypassing most SPAM filtering tools. The emails are very basic and have a document attached. The attached document is typically also very basic, often contains the logo of the target (you, if you’re receiving the email) and then a QR code with instructions to scan it using your phone camera.

The email comes from a legitimate source. In many cases, it looks like the actual senders email has been compromised and the message sent without their knowledge.
The document, because it only contains text and one or two images (logo and QR code or only the QR code), passes antivirus scans.
- I tested this on virustotal.com and only one of the documents thus far have been flagged and that one was only flagged by Fortiguard.
- I also tested both URLs (linked to from the documents) and one, the same one that the document was flagged on, got flagged.
The threat actor has done their homework. The malspam is addressed to a specific person with a role related to the content of the email. For example, remittance letter going to accounting, employee handbook going to HR, etc.
Even though the emails look very similar, it does not appear to be the same threat actor because the QR codes point to very different locations. Below are the two most recent that we’ve seen (links are intentionally broken for obvious reasons).
- hxxps://ddcfm.github.io/filss//Dcumsharedfileo.html
- hxxps://vpph.qcspyf.sa.com/CRP!7313J0hNxuFOr/$

If you receive one of these emails, do not interact with the QR code (don’t scan it, click on it, etc.) but report it to your IT Department or IT Support team. Simply viewing the email or opening the attached document currently doesn’t appear to be problematic but it’s never a good plan to just open attachments directly from email.

Need IT Support for your Home or Business? We’d love to help!

Are you a small to medium sized business looking to leverage technology and enable your business and workforce to work smarter and more efficiently? Do you already have computers, servers, firewalls, VPNs or other technology that you’re not taking full advantage of? Are you looking for an IT Service Provider who understands small to medium sized businesses needs and the challenges that we face that can work with you to grow your business rather than just sell you time?

Cyber Tech Cafe an IT Service Company with a focus on helping small to medium business get the most out of their technology investment. As a small business ourselves, we understand the challenges you face and have designed our service offerings to help you get the most out of your technology dollar. We offer on-call, as needed support if you just need a quick fix or extra set of hands right now. We also offer maintenance plans that we call “MyIT” that are designed to address the most common concerns (patch management, disaster recovery / backup, log review, etc.) that are based on the number of workstations and servers that you have and have no term contract. We believe that, if you find value in what we’re doing, you’ll find a way to keep us around without contract saying that you have to.

If you have questions about the MyIT plans or have an IT need that you need addressed right now, let us know. We look forward to the opportunity to earn your business.

Article Submitted by Nathan J. Underwood, CEH