Phishing or Malware? Unpacking a Combo 2-in-1 Threat

Security researchers at Forcepoint recently uncovered a particularly unusual sample that blurs the lines between a classic phishing scam and a malware attack. At first glance, it looked like an ordinary phishing email — but digging deeper revealed that it also contained a malicious attachment from the X-Worm/Formbook family. This kind of dual-threat delivery, where a phishing message also distributes malware, is rare and noteworthy.

Let’s break down what made this sample so interesting. 

The Email: A Classic Phish on the Surface

Fig. 1 - Email view

The subject line read:

• Subject: Your mailbox is almost full [victim.email]@[domain].com
   

At first, everything about the email screamed “phishing.” The sender’s address was disguised in a deceptive format that looked something like:

• From: “[victim.domain]” [email protected]

This format gives the impression that the message came from a legitimate internal source when in reality it likely originated from a hijacked or spoofed email address.

The body of the message followed standard phishing tactics: a brief warning about a full mailbox and a big, urgent looking “Clear Storage” button prompting the user to take immediate action.

The Redirect: IPFS-Based Phishing Page

Clicking the button led the user to a free hosting platform via the following URL: 

• hxxps://ipfs[.]io/ipfs/bafkreifs2nuxey2rbsqwuv5qt6xwnopg3hhailqnk2bpw52fmqitxmzuni#[email protected]

This redirect took the victim to a phishing page hosted on IPFS (InterPlanetary File System) - a decentralized file-sharing network increasingly exploited by threat actors due to its resilience against takedowns. Hosting malicious content on such platforms not only enhances persistence but also increases the likelihood of user interaction, as these services often appear familiar or trustworthy. This tactic reflects a broader trend anticipated in the Forcepoint X-Labs’ 2025 Future Insights report, which predicted that adversaries would increasingly exploit legitimate infrastructure to blend into normal traffic patterns and evade detection. 

Fig. 2 - Phishing page

Interestingly, the phishing page didn’t just attempt to steal credentials — it also tried to gather extra context about the victim. By including an external JavaScript file from geoplugin.net, the page was able to quietly capture information like the user’s geographic region, system details, and local date and time. GeoPlugin is a geolocation API that determines a user’s location based on their IP address, offering insights such as country, city, and even latitude and longitude. These small details may seem harmless, but in the hands of a phisher, they help craft a more convincing and personalized experience — making the scam feel more legitimate and increasing the chances that a victim will fall for it.

Fig. 3 - Geolocation JavaScript

Obfuscated Code

The phishing page’s content was obfuscated using JavaScript. A snippet of the code looked like this: 

After decoding, it became clear that the page was designed to steal credentials. The obfuscated script dynamically rendered a login form, and once credentials were entered, they were sent via a POST request to an attacker-controlled endpoint.

Fig. 4 - Code sample with POST request

The Attachment: Malware in Disguise

What set this phishing campaign apart, however, was the unrelated malicious attachment that came along with the email — a RAR archive. 

Although the attachment had no logical connection to the email’s content, once extracted and executed, it dropped malware from the X-Worm/Formbook family, known for:

• Credential stealing
• Keylogging
• Persistence techniques
• Anti-analysis features 

Malware Behavior Summary

The malware execution begins with a .NET-compiled loader that runs in a managed runtime environment. This loader is responsible for delivering and executing a second-stage payload, which is also a .NET executable. The consistent use of .NET across both stages indicates a streamlined delivery chain leveraging in-memory execution or embedded resources to evade detection.
In summary, the malware sample exhibited the following suspicious activities:

• Anti-analysis: Used sleep delays, checked for debugging environments, and detected virtualization.
• System modification: Added Windows Defender exclusions and created scheduled tasks for persistence.
• Network communication: Attempted connections to external IPs, possibly for command-and-control (C2) communication or data exfiltration.
• Code injection: Dropped and injected malicious payloads into legitimate system processes. 

Conclusion

This hybrid campaign underscores the evolving tactics of threat actors. By bundling phishing with malware delivery, attackers increase their chances of success — if the phishing lure doesn’t get you, the malicious attachment might.

Protection Statement:

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 1 (Lure) – Emails are blocked by email security analytics.
• Stage 2 (Delivery) – Emails and malicious attachments are identified and blocked by Forcepoint Email Security.
• Stage 3 (Redirect) – Redirection URL within the email are identified and blocked.
• Stage 6 (Command and Control / Call Home) – Communication attempts to C2 servers related to the phishing page and malware attachment are successfully blocked. 

IOCs: