Virus Macro

#Security: Phishing with Macros once again!

read ( words)

And once again! Word files with Macro! But this time, I was the first one to report it to VirusTotal and Hybrid-Analysis! :)

Virus Macro!
Fig 1: VirusTotal report! Just only two: Fortinet sells hardware, and Qihoo-360 is in China (:S)...

Here you have the e-mail. The sender is this time the "BOSS Last Name" (A nice improvement! :P) without address, or something like that!

Guten Tag, Riva, Mauro 

Bitte die gekennzeichneten Stellen ergänzen und unterschreiben, bitte mit Stempel außer das SEPA Formular. Für die Abbuchung. -> with hyperlink (

Mit freundlichen Grüße,
BOSS Last Name, BOSS First Name

The mails are being sending from a server in USA and using the user Sorry randy, I published your e-mail! The auth is still PLAIN! I do not understand this!. Here you can see the logs:

Thu,  2 Nov 2017 08:55:12 +0100 (CET)
Received: from ( [])    by (Postfix) with ESMTP for xxxxxxx;

Thu,  2 Nov 2017 08:55:11 +0100 (CET)
Received: from ([]) by (InterMail vM. with ESMTP id <> for xxxxxxx;

Thu, 2 Nov 2017 03:55:06 -0400
Received: from ([]) by with bizsmtp id Uvuo1w0015CQpq201vv35M; 

Thu, 02 Nov 2017 03:55:05 -0400
Authentication-Results:; auth=pass PLAIN

From: BOSS Last Name, BOSS First Name <>  --only in details you can see the e-mail address!
To: <xxxxxxx>

(xxxxxxx my work e-mail address -you can find it on the internet, if you want to...)

Here you have the analysis of the files:

The analysis by Hybrid-Analysis is quite interesting! They were able to catch the host server:

Contacted Hosts
IP Address        Port/Protocol        Associated Process            Details        OSINT 80 TCP         powershell.exe (PID: 3752)    Slovakia (SLOVAK Republic)    8080 TCP             storagewmi.exe (PID: 3036)    Hungary

The standard correction language of the file was set to russian language.

As usually, I wrote 'elprofedemicurso' and I sent the files to the Antivirus companies. Avira still does not recognize the file as a VIRUS!!! :( .

I've read somewhere that they are using ObfuscatedEmpire to obfuscate the files. There are little chances for the Antivirus to detect a new variant of this type of files. That means, I am going to receive more e-mails like this one, or I should I have to tune the Spam filter! Do you have an idea how can I filter this type of e-mails using Exchange 2010?!. Please write me a comment, if you known that! Thanks in advance!!!

{{ message }}

{{ 'Comments are closed.' | trans }}