The malicious executables being downloaded are 'win.exe' [VirusTotal], and 'MacOS' [VirusTotal], with their names corresponding to their target operating systems. Both of these are downloaded from the IP address 141.164.58[.]147, commissioned by the cloud hosting provider, Vultr.
Malware authors use a variety of physical and virtual means to spread malware that infects devices and networks. For example, malicious programs can be delivered to a system with a USB drive, through popular collaboration tools and by drive-by downloads, which automatically download malicious programs to systems without the user's approval or knowledge.
Phishing attacks are another common type of malware delivery where emails disguised as legitimate messages contain malicious links or attachments that deliver the malware executable file to unsuspecting users. Sophisticated malware attacks often feature the use of a command-and-control server that enables threat actors to communicate with the infected systems, exfiltrate sensitive data and even remotely control the compromised device or server.
Emerging strains of malware include new evasion and obfuscation techniques designed to not only fool users, but also security administrators and antimalware products. Some of these evasion techniques rely on simple tactics, such as using web proxies to hide malicious traffic or source IP addresses. More sophisticated threats include polymorphic malware that can repeatedly change its underlying code to avoid detection from signature-based detection tools; anti-sandbox techniques that enable malware to detect when it is being analyzed and to delay execution until after it leaves the sandbox; and fileless malware that resides only in the system's RAM to avoid being discovered.
Apple iOS devices are rarely infected with malware because Apple vets the applications sold in the App Store. However, it is still possible for an iOS device to be infected with malicious code by opening an unknown link found in an email or text message. iOS devices will also become more vulnerable if jailbroken.
There are other types of programs that share common traits with malware but are distinctly different. One example is a PUP, or potentially unwanted program. These are applications that trick users into installing them on their systems -- such as browser toolbars -- but do not execute any malicious functions once they have been installed. However, there are cases where a PUP may contain spyware-like functionality or other hidden malicious features, in which case the PUP would be classified as malware.
Warning: Most of these pcaps contain Windows malware, and this tutorial involves examining these malicious files. Since these files are Windows malware, I recommend doing this tutorial in a non-Windows environment, like a MacBook or Linux host. You could also use a virtual machine (VM) running Linux.
After filtering on http.request, find the two GET requests to smart-fax[.]com. The first request ends with .doc, indicating the first request returned a Microsoft Word document. The second request ends with .exe, indicating the second request returned a Windows executable file. The HTTP GET requests are listed below.
The information above confirms our suspected Word document is in fact a Microsoft Word document. It also confirms the suspected Windows executable file is indeed a Windows executable. We can check the SHA256 hashes against VirusTotal to see if these files are detected as malware. We could also do a Google search on the SHA256 hashes to possibly find additional information.
In addition to Windows executable or other malware files, we can also extract web pages. Our second pcap for this tutorial, extracting-objects-from-pcap-example-02.pcap (available here) contains traffic of someone entering login credentials on a fake PayPal login page.
Notice the two entries near the middle of the list with \\10.6.26.6\C$ as the Hostname. A closer examination of their respective Filename fields indicates these are two Windows executable files. See Table 1 below for details.
Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over time.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.Deep analysis currently supports extensive analysis of portable executable (PE) files (including .exe and .dll files).
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on the file's profile page.
When .exe files are run on a macOS operating system, they typically result in an error message. However, this malware included files from the Mono.NET framework, which is a popular open source framework that allows developers to create cross-platform Microsoft .NET applications. Since the main macOS application is signed, the macOS Gatekeeper, which verifies if software is legitimate, believed the application was safe and allowed it to execute which in turn launched the malicious .exe file.
This infiltration and code execution method provides a new opportunity for hackers to target macOS. Although the current versions of this malware only steal data and install adware, the ability to execute arbitrary code by hiding it within a legitimate looking macOS application is sure to be leveraged for more malicious purposes.
TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. 
On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules. 
In endpoint protection solutions, a false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including Defender for Endpoint.
The Mach-O file contains a malicious document that runs automatically once a user opens it. It then overwrites all Microsoft Word files in the macOS user directory and contacts a remote server to download more files, including a Windows executable file (.exe) that runs the Dridex malware.
An online tool called VirusTotal can scan URLs and files that people upload and detect if it contains malware. For example, if an email has a Microsoft Word document or a Mach-O file as an attachment, it may be a good idea to scan it with the website.
The Dridex malware sample that Trend Micro analyzed arrives as a Mach-O file, which is a type of executable used by both macOS and iOS. First discovered back in 2019 and submitted to VirusTotal, 67 more artifacts based on it have been detected in the wild including some as recently as December of last year.
EXE viruses are the most common type of file-infecting viruses. They can be encountered on malicious websites, found bundled with shady software, or disguised as legitimate files on file-sharing websites.
RedLine Stealer (also known as RedLine) is a malicious program which can be purchased on hacker forums for $150/$200 depending on the version. It can be used to steal information and infect operating systems with other malware.
Furthermore, it is capable of collecting system information such as IP addresses, usernames, keyboard layouts, UAC settings, installed security solutions, and other details. This malicious program can be used to infect computers with other malware (download and execute malicious files).
In other cases, cybercriminals proliferate malicious programs through spam campaigns (emails), Trojans, dubious software download channels, unofficial activation tools and fake updaters. They attempt to proliferate malware by sending emails that contain malicious attachments (or web links that lead to download of malicious files).
Untrustworthy download sources/channels are used to trick users into installing malware by disguising hosted, uploaded malicious files as harmless and regular. When downloaded and opened/executed, however, the files cause installation of malware.
Some examples of the download channels often used to proliferate malicious programs are free file hosting, freeware download websites, unofficial sites, Peer-to-Peer networks (e.g., torrent clients, eMule) and third party downloaders. Unofficial activation tools supposedly activate licensed software free of charge (bypass its activation), however, they often install malware instead. 2b1af7f3a8