Email scams – very sloppy Cerber dropper

Timestamps – February 2017 to March 9-3-2017 + older ones on the same pattern from May 2016

Continuing the line on sloppy email scams, a specific type is hitting one of my addresses. Spam is received regularly from the same addresses, having the same format. The attachments are created Matryoshka style, like in a previous post (archive in archive , finally containing a JS or DOC file).


The surprising things is that, even though they are very poorly executed :

  1. The spam filter is very bad at identifying it though. All of this is getting in my inbox.
  2. Over a 10 months period i’ve receiving the same kind of things from the same email address (different IPs though)

Sender email

[email protected]

Sender IP address (from 2017)

Sender IP address (from 2016)



After sandbox analysis, one of them seems to be still working as a Cerber dropper, the other seems defunct

Full IOC list on