Payload Macros Word


#Security: Phishing with Macros! (updated)

Hi!

Yesterday I received an email from an address that should look like my boss email address. It was something like this: "Boss.Name@our-institute.uni-hannover.de nancy@hillstar.brcoxmail.com" with the subject: Rech QK - 163-DA7666 Riva, Mauro and a text saying:

Guten Tag, Riva, Mauro

Als Anhang erhalten Sie Ihre Rechnung. (something like "You receive your invoice as an attachment.")

Rech:
http://blackbox-es.com/Rechnung-26375407950/ (don't click this link --> read all the post!!!)

Herzliche Grüße (Grüße: Grüße)

boss.name@our-institute.uni-hannover.de

As you see, there is a link to the Blackbox-ES company website based in Kaysville, UT, USA.

You are obviously going to say phishing! That's for sure! But I clicked on the link to check it out! I used a Tor browser (I didn't want to give my IP). The link started a download of a word document with name Rechnungs-Details-43154391936.doc, and again obviously with macros inside!: A payload! I haven't opened it yet, but I am going to use a virtual machine this weekend, that I usually use for that. I want to read the payload and if it's possible check the remote host address.

I uploaded it to VirusTotal and at first time (yesterday at 10 a.m.), only 4 antivirus were able to detect the file as a threat! Now, I uploaded it again and I got the following report:

Macro Virus
VirusTotal report

Only 7 antivirus detect the file as a threat! I still have the file on my download folder and the Microsoft Security Essentials is not reporting or deleting it!!! Nice! :S

I've done the following things:

I found the following report: https://goo.gl/yPakSa It contains more information about the payload!

(I haven't check the email nancy@hillstar.brcoxmail.com yet, but it probably doesn't exist neither the domain)

We will see tomorrow!

Notes:

  • (1) I've just received an email from Kaspersky Lab with following content:
    Malicious code detected by Kaspersky Lab products with KSN technology enabled has been found in the following files:
    Rechnungs-Details-43154391936.doc - UDS:DangerousObject.Multi.Generic
    
  • (2) Microsoft reports the following: Microsoft Report

Updates:

25.08.2017 10:20: 11 Antivirus (Microsoft still reports the file as clean!) Update 20170825 10:20

Last update (03.09.2017 23:00): 31 Antivirus (Microsoft still reports the file as clean! I've submitted it twice, but no chance!) Last Update 20170903 23:00

{{ message }}

{{ 'Comments are closed.' | trans }}