Manage cookies

We use cookies to improve our services. Read more about how we use cookies and how you can refuse them.

The necessary cookies help to make the website work properly.

Anonymous statistical cookies help to understand how visitors use the website.

  • Hacking
    2 min | 1266

    #Security: Phishing with Macros once again!

    Hacking | 2 min | 1266

    And once again! Word files with Macro! But this time, I was the first one to report it to VirusTotal and Hybrid-Analysis! :)

    Virus Macro!
    Fig 1: VirusTotal report! Just only two: Fortinet sells hardware, and Qihoo-360 is in China (:S)...

    Here you have the e-mail. The sender is this time the "BOSS Last Name" (A nice improvement! :P) without address, or something like that!

    Guten Tag, Riva, Mauro 
    Bitte die gekennzeichneten Stellen ergänzen und unterschreiben, bitte mit Stempel außer das SEPA Formular. Für die Abbuchung.  -> with hyperlink (
    Mit freundlichen Grüße,
    BOSS Last Name, BOSS First Name

    The mails are being sending from a server in USA and using the user Sorry randy, I published your e-mail! The auth is still PLAIN! I do not understand this!. Here you can see the logs:

    Thu,  2 Nov 2017 08:55:12 +0100 (CET)
    Received: from ( []) by (Postfix) with ESMTP for xxxxxxx;
    Thu,  2 Nov 2017 08:55:11 +0100 (CET)
    Received: from ([]) by (InterMail vM. with ESMTP id <> for xxxxxxx;
    Thu, 2 Nov 2017 03:55:06 -0400
    Received: from ([]) by with bizsmtp id Uvuo1w0015CQpq201vv35M; 
    Thu, 02 Nov 2017 03:55:05 -0400
    Authentication-Results:; auth=pass PLAIN
    From: BOSS Last Name, BOSS First Name <>  --only in details you can see the e-mail address!
    To: <xxxxxxx>

    (xxxxxxx my work e-mail address -you can find it on the internet, if you want to...)

    Here you have the analysis of the files:

    The analysis by Hybrid-Analysis is quite interesting! They were able to catch the host server:

    Contacted Hosts
    IP Address      Port/Protocol       Associated Process          Details       OSINT 80 TCP        powershell.exe (PID: 3752) Slovakia (SLOVAK Republic)  8080 TCP             storagewmi.exe (PID: 3036) Hungary

    The standard correction language of the file was set to russian language.

    As usually, I wrote 'elprofedemicurso' and I sent the files to the Antivirus companies. Avira still does not recognize the file as a VIRUS!!! :( .

    I've read somewhere that they are using ObfuscatedEmpire to obfuscate the files. There are little chances for the Antivirus to detect a new variant of this type of files. That means, I am going to receive more e-mails like this one, or I should I have to tune the Spam filter! Do you have an idea how can I filter this type of e-mails using Exchange 2010?!. Please write me a comment, if you known that! Thanks in advance!!!