Email scams – very sloppy Cerber dropper

Timestamps – February 2017 to March 9-3-2017 + older ones on the same pattern from May 2016

Continuing the line on sloppy email scams, a specific type is hitting one of my addresses. Spam is received regularly from the same addresses, having the same format. The attachments are created Matryoshka style, like in a previous post (archive in archive , finally containing a JS or DOC file).


The surprising things is that, even though they are very poorly executed :

  1. The spam filter is very bad at identifying it though. All of this is getting in my inbox.
  2. Over a 10 months period i’ve receiving the same kind of things from the same email address (different IPs though)

Sender email

Sender IP address (from 2017)

Sender IP address (from 2016)



After sandbox analysis, one of them seems to be still working as a Cerber dropper, the other seems defunct

Full IOC list on