Malware Analysis Case Study: From Phishing Campaign to Reflective Loader (with ANY.RUN)

In this video, I break down a real phishing attack that targeted me personally as a YouTube creator. What appeared to be a simple “appeal your ban” email turned out to be a multi-stage malware campaign utilizing Google Drive, Cloudflare, mshta.exe, and Excel macros to deliver a reflective loader that ran entirely in memory.

You’ll see the complete investigation unfold in real time:
How attackers used Google Drive to bypass filters
The fake YouTube “appeal” page and clipboard hijack trick
Abuse of mshta.exe (a Windows LOLBin) to run an HTA file
VBScript launching Excel and injecting a hidden macro
Reflective shellcode loader executing payloads from memory
C2 traffic over HTTPS to attacker infrastructure

⚠️ This is not a lab simulation — this was a real phishing attempt against me.

🔎 Free: Full written intel report on Cyberwox Unplugged → https://www.cyberwoxunplugged.com/p/t...

00:00 – The phishing email & Google Drive link
01:49 – Fake YouTube appeal site
03:58 – Clipboard hijack & Win+R trick
05:50 – MSHTA abuse & HTA loader
08:31 – Malicious IPs
12:03 – Threats
14:04 – HTA File Analysis
17:50 – Obfuscation behavior
21:08 – GPT Prompt
24:59 – Process Analysis
31:16 – GPT Analysis
34:39 – LOLBAS
25:00 – Network behavior & C2
35:25 – Final Thoughts & takeaways

_____________
🔬 This analysis was powered heavily by ANY.RUN’s interactive malware sandbox, which made it possible to observe each stage of the phishing chain in real time.

This video is not sponsored by ANY.RUN, but I want to be transparent in crediting the platform because it played a central role in uncovering everything laid out here.

For defenders who want to go deeper than running single samples, ANY.RUN recently rolled out Threat Intelligence Feeds that aggregate behavioral data across thousands of detonations. This expands visibility from “what happened in my one sandbox run” to “what’s happening across the wild right now.”

📌 If you’re serious about threat intelligence, threat hunting, or detection engineering, it’s worth exploring: https://bit.ly/cwx-anyrun-threat-inte...


_____________
⚡️JOIN 6,700+ CWX MEMBERS ON DISCORD:   / discord  
📰 SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER: https://cyberwoxunplugged.com
🥶 CYBEWOX MERCH: https://store.cyberwox.com
🫂 CYBERWOX SYNDICATE: Join this channel to support the mission:
   / @daycyberwox  

_____________
🧬 CYBERWOX RESOURCES
🔹 Cyberwox Cybersecurity Notion Templates for planning your career: https://daycyberwox.gumroad.com/l/cyb...
🔹 Cyberwox Best Entry-Level Cybersecurity Resume Template: https://daycyberwox.gumroad.com/l/cyb...
🔹 Learn AWS Threat Detection with my LinkedIn Learning Course:   / introduction-to-aws-threat-detection  

_____________
📱 LET'S CONNECT
→ IG:   / daycyberwox​  
→ Threads: https://www.threads.net/@daycyberwox
→ Substack: https://substack.com/@cyberwox
→ Twitter:   / daycyberwox​  
→ LinkedIn:   / dayspringjohnson  
→ Tiktok:   / cyberwox  
Email: [email protected]

_____________
#️⃣ Relevant Hashtags
#cybersecurity #hacking #threatdetection #cloudcomputing #cloudsecurity #technology #tech #dallas #texas #cloud

_____________
⚠️DISCLAIMER
This video description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

Hackers Tried to Hack Me — I Reverse Engineered Their Malware Instead