Leave a Reply

8 Comments on "spoofed eFax You received a new eFax from 516-6128936 delivers unknown malware"

Notify of
avatar
10000
Sort by:   newest | oldest | most voted
Nyebodnye
Guest
Nyebodnye

The main problem with these is that they delete the autoopen/Workbook_Open/Document_Open part of the macros when you open them. This is why it prompts to save when you exit – it has changed from the original. They need to be run through OfficeMalScanner to get the original code, then stepped through, which also causes an issue as they have bits that won’t run unless things are commented out. All in all a complete PITA
In this case, we have module ‘temperament’ but we seem to have lost scaphosepalum and ThisDocument. ThisDocument contains the elusive Private Sub Document_Open()

Nyebodnye
Guest
Nyebodnye

Additionally, in my sandbox, every time it is open it creates a verclsid.exe process.
Can’t see any functions being called that download anything.
Functions referenced are
ReadConsoleW
SHCreateThread
SHGetDesktopFolder
SHChangeNotification_Lock
NtAllocateVirtualMemory
SHGetSettings
PathFileExists
NtWriteVirtualMemory

Comments in source code are lyrics from Halou – Honeythief

PC Tech
Guest
PC Tech
Nyebodnye
Guest
Nyebodnye

Just compared this one to an Amazon_Invoice_.doc from today (22 Feb 2017) one and guess what! Same behaviour and same embedded author – Matthew. Thanks Matthew!

C:QuarantineeFax_victim.doc
000206C4 ························· ·········M·a·t·t·h·e·w···E·v·e·r·y·o·n·e··
00020708 ····································································
0002074C ····································································
00020790 ····································································
000207D4 ····································································
00020818 ·········Oh·····+’··0···p···········································
0002085C ················································,·······8·······D···
000208A0 ····P·······X·······`·······h··················· ···················
000208E4 ····Matthew·································Normal.dotm·········Ever
00020928 yone············2···········Microsoft Office Word···@····F·#····@···

C:QuarantineAmazon_Invoice_victim.doc

00019F2C ·······M·a·t·t·h·e·w···W·i·n·d·o·w·s································
00019F70 ····································································
00019FB4 ····································································
00019FF8 ····································································
0001A03C ····································································
0001A080 ····································································
0001A0C4 ····································································
0001A108 ····································································
0001A14C ····································································
0001A190 ····································································
0001A1D4 ····································································
0001A218 ·········Oh·····+’··0···l···········································
0001A25C ················································(·······4·······@···
0001A2A0 ····L·······T··············d··················· ···················
0001A2E4 ····Matthew·································Normal.dot··········Wind
0001A328 ows·········1···········Microsoft Office Word···@····F·#····@····~··
0001A36C ····@·······························································

Megan Brooks
Guest
Megan Brooks

I received one of these with the link pointing to “peakfitness(.)com(.)my/apgetn.php?id=3DdmVuZC1pbkB
mYXIyZ28ubmV0″ target=3D”. A compromised website, presumably.

Matt
Guest
Matt

Thank you for this, I googled it after I received one and found your article, so didn’t open it. The number that was in my spoof email was a bona fide HMRC number so others beware. Thanks again.

wpDiscuz

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close