We are used to receiving emails with malicious links every day, but it is easy to identify them, so they do not represent much danger.
Many times it is enough to look at the sender to see how your email account comes from a suspicious domain, which is why most of them fall directly into spam.
Things change when the email arrives from a prestigious domain, such as Adobe using its digital signature platform.
That is what is happening in recent days, an attack directed at Youtubers that begins with an email like the one shown in the screenshot below, where a document is offered to be signed, a document that talks about an alleged copyright infringement somewhere. video posted.
Although YouTube manages these infringements indirectly, with a specific section for notices and requests to remove content, suspicion grows in the Youtuber, and they will surely click on the Adobe link because, after all, it is Adobe.
The document usually has the following format:
That is where the malicious link is, in that document hosted by Adobe, with the signature field included, although they have also used dochub.com to host the malicious documents.
Both Adobe and dochub are removing these documents from their systems, since they contain a request to download a .zip file where the real virus is found:
They are not documents, they are executables that, when analyzed with virustotal, show their true nature:
Windows detects it as a threat too, of course
Among them is Trojan:W32/GenInflated.B, a Trojan that hijacks the computer demanding payment to ransom the information. Ransomware, wow.