#Security: Phishing with Macros! (updated)
Yesterday I received an email from an address that should look like my boss email address. It was something like this: "Boss.Name@our-institute.uni-hannover.de email@example.com" with the subject:
Rech QK - 163-DA7666 Riva, Mauro and a text saying:
Guten Tag, Riva, Mauro Als Anhang erhalten Sie Ihre Rechnung. (something like "You receive your invoice as an attachment.") Rech: http://blackbox-es.com/Rechnung-26375407950/ (don't click this link --> read all the post!!!) Herzliche GrÃ¼ÃŸe (GrÃ¼ÃŸe: Grüße) firstname.lastname@example.org
As you see, there is a link to the Blackbox-ES company website based in Kaysville, UT, USA.
You are obviously going to say phishing! That's for sure! But I clicked on the link to check it out! I used a Tor browser (I didn't want to give my IP). The link started a download of a word document with name
Rechnungs-Details-43154391936.doc, and again obviously with macros inside!: A payload! I haven't opened it yet, but I am going to use a virtual machine this weekend, that I usually use for that. I want to read the payload and if it's possible check the remote host address.
I uploaded it to VirusTotal and at first time (yesterday at 10 a.m.), only 4 antivirus were able to detect the file as a threat! Now, I uploaded it again and I got the following report:
Only 7 antivirus detect the file as a threat! I still have the file on my download folder and the Microsoft Security Essentials is not reporting or deleting it!!! Nice! :S
I've done the following things:
- I've reported the link as phishing to https://safebrowsing.google.com/safebrowsing/report_phish/
- I've written to the company contacts to inform about the file (I hope it will be deleted any time soon!)
- I've opened report cases on:
I found the following report: https://goo.gl/yPakSa It contains more information about the payload!
(I haven't check the email
email@example.com yet, but it probably doesn't exist neither the domain)
We will see tomorrow!
- (1) I've just received an email from Kaspersky Lab with following content:
Malicious code detected by Kaspersky Lab products with KSN technology enabled has been found in the following files: Rechnungs-Details-43154391936.doc - UDS:DangerousObject.Multi.Generic
- (2) Microsoft reports the following:
25.08.2017 10:20: 11 Antivirus (Microsoft still reports the file as clean!)
Last update (03.09.2017 23:00): 31 Antivirus (Microsoft still reports the file as clean! I've submitted it twice, but no chance!)