Graphical Lures In The Age of Cybercrime

Collage of document warning notifications from various platforms

How does fishing work in real life? The fisherman chooses a suitable place for fishing, he chooses the right tools; a fishing rod or nets, and he also needs to choose the right bait. When everything is ready, he can expect a good degree of success.

In fact, fishing in cyberspace is not that different from fishing in real life. A threat actor needs to choose the right tools. Depending on the purpose, they can use different tools; such as bankers to steal money or espionage tools to steal data. A threat actor may also use third-party tools such as Cobalt Strike or Metasploit, at their discretion to suit their needs.

It is just as important for a threat actor to choose the right lure. Why? The fact of the matter is that the first step in many cybercrime incidents still require a minimum amount of user interaction. If the document provided by the macros is provided, then the attacker must coerce the victim to enable the macros to proceed. This assumes the attacker leverages malicious documents rather than other means of achieving remote code execution. 

In this blog, we will look at some of the visual honeypots that cybercriminals use, as well as observe different varieties of decoys used for mass phishing or targeted attacks.


The Hancitor downloader has been known since 2013. Using a macro, it loads and runs various payloads. These are usually banking trojans and bots. Periodically, attackers will change the visual bait to bypass and delay detection efforts. A real world example of this occurred in the last month and happens at fairly regular intervals.

It is evident that considerable effort goes into making the new bait look modern and sleek. Increasing perceived credibility and the chances that targets will follow instructions.

Qbot aka QakBot

This bot exists and has been successfully distributed for quite some time, dating back to 2007. Like other campaigns, visual lures change regularly and we will look at a few that have been and/or are currently in use.


Banking trojan used by the threat actor TA551. They have been observed active in the wild since 2017, likely prior. In some cases, it is distributed along with a password to decrypt the document. Visual lures also change quite often. Interestingly, it bears similarity to Qbot lures, possibly indicating a connection between the campaigns. 

Agent Tesla

The group of cybercriminals behind the spread of this remote access trojan uses an interesting method in choosing a visual lure. In some versions, they deliberately blur the fake document so the user is more likely to click on the content enable button to “view” the document.


Dridex is created and used by the TA 550 group. This is a data stealing program that spreads through phishing emails. Threat Actors are constantly using various lures to carry out malicious campaigns.

Dridex visual lure.
Dridex visual lure. (Variant)

Very often the documents of dridex pretend to be documents from transport companies.

Dridex visual lure. (Variant) 


Some time ago, Emotet was the most popular banking trojan for stealing data. Recently however, attackers were able to leverage it to install other malware families as well as ransomware. Most of the malware downloaded by Emotet, normally distributed via phishing emails, leverage Emotet’s infrastructure for higher infection rates. In January 2021, international law enforcement authorities shut down a large amount of servers controlled by the actors, causing the campaign to go dormant until its November resurgence.

Emotet visual lure: This bait was used with the return of Emotet.
Another Emotet visual lure.
Emotet visual lure. (Variant)

Targeted attacks.

What we have discussed above is the distribution of phishing emails sent out on a huge scale every day. Such campaigns can be carried out regularly or in limited intervals. Targeted attacks are carried out with a careful choice of target and bait. In such cases, it is not easy to attribute a group to a particular campaign, the following are examples of such cases.

Some time ago we found an interesting document that loaded Сobalt Strike. They had a very interesting visual lure, which has not yet been encountered in large quantities as with large campaigns.

A document that abuses the Kaspersky brand.

Some visual decoys are written in the language of the victim so that the likelihood of opening the file and activating macros is heightened. The following sample, tailored for a French target, is a prime example. 

A lure used in a French targeted attack.
A tailored lure used in a targeted attack.

The following is another document used in the targeted attack whose payload was also Cobalt Strike.

A very simple example of targeted lure. (Not campaign related)
SHA256 – 5d3220db34868fc98137b7dfb3a6ee47db386f145b534fb4a13ef5e0b5df9268
Another lure used in a specific locale targeted attack.
SHA256 – d063c3938bb3ce3a0fe0c5492b7a8fe072524db87606b071152958e795501f7f
A lure used in a targeted attack. (Not campaign related)
SHA256 – 0dde111712db81b5a70d9cf35f5e1fcd5d585c62f678a5db66d2a166ef3a3399
A decoy used in a targeted attack.
  SHA56 – 20fe5a152878e31a0bab6102a8c265f8e4e0309a4cbd1d03cba00ddb22bc1633

APT Actors

The tools used by APT actors are very often fundamentally different from those used for phishing. The fact is that APT campaigns are focused on striking covertly with specific goals in mind. Very often, documents used in APT campaigns mimic or leverage internal government documents, reports and bulletins.

Often, malicious payloads are embedded within documents primed for target emails rather than retrieved as seen in other campaigns. We’ll look at a few examples.

The lure used in the APT campaign.
Another lure used in the APT campaign.
Additional maldoc used in the APT campaign.
Additional maldoc used in the APT campaign.
SHA256 – cad6611f90ce66e74418e47e45203e5771e61c57f49e27e8278a03165de741fe

It would be quite daunting to comprehensively cover the lures in the wild within this blog. However, we have a great collection of such lures within the Malware Lures Gallery.


Visual lures used in malicious documents are aimed at making users open the document and enable the execution of macros. Another goal is to hide malicious activity and create the impression of a legitimate document that the user is likely to interact with. 

These simple rules will help mitigate the risk of falling prey to threat actors.

  1. Always update your operating system and Office.
  2. Never click “Enable Content”.
  3. Never open suspicious documents.
  4. Never use pirated software.
  5. Take care of the cybersecurity of your enterprise.

You can familiarize yourself with the InQuest DFI Platform and SaaS Email Security Solution





Agent Tesla

Targeted Attacks.

APT Attacks.

How Effective Is Your Email Security Stack?

Did you know, 80% of malware is delivered via email? How well do your defenses stand up to today’s emerging malware? Discover how effectively your email provider’s security performs with our Email Attack Simulation. You’ll receive daily reports on threats that bypassed your defenses as well as recommendations for closing the gap. Free of charge for 30 days.

Get My Email Attack Simulation