Comments

spoofed eFax You received a new eFax from 516-6128936 delivers unknown malware — 8 Comments

  1. The main problem with these is that they delete the autoopen/Workbook_Open/Document_Open part of the macros when you open them. This is why it prompts to save when you exit – it has changed from the original. They need to be run through OfficeMalScanner to get the original code, then stepped through, which also causes an issue as they have bits that won’t run unless things are commented out. All in all a complete PITA
    In this case, we have module ‘temperament’ but we seem to have lost scaphosepalum and ThisDocument. ThisDocument contains the elusive Private Sub Document_Open()

  2. Additionally, in my sandbox, every time it is open it creates a verclsid.exe process.
    Can’t see any functions being called that download anything.
    Functions referenced are
    ReadConsoleW
    SHCreateThread
    SHGetDesktopFolder
    SHChangeNotification_Lock
    NtAllocateVirtualMemory
    SHGetSettings
    PathFileExists
    NtWriteVirtualMemory

    Comments in source code are lyrics from Halou – Honeythief

  3. Just compared this one to an Amazon_Invoice_.doc from today (22 Feb 2017) one and guess what! Same behaviour and same embedded author – Matthew. Thanks Matthew!

    C:QuarantineeFax_victim.doc
    000206C4 ························· ·········M·a·t·t·h·e·w···E·v·e·r·y·o·n·e··
    00020708 ····································································
    0002074C ····································································
    00020790 ····································································
    000207D4 ····································································
    00020818 ·········Oh·····+’··0···p···········································
    0002085C ················································,·······8·······D···
    000208A0 ····P·······X·······`·······h··················· ···················
    000208E4 ····Matthew·································Normal.dotm·········Ever
    00020928 yone············2···········Microsoft Office Word···@····F·#····@···

    C:QuarantineAmazon_Invoice_victim.doc

    00019F2C ·······M·a·t·t·h·e·w···W·i·n·d·o·w·s································
    00019F70 ····································································
    00019FB4 ····································································
    00019FF8 ····································································
    0001A03C ····································································
    0001A080 ····································································
    0001A0C4 ····································································
    0001A108 ····································································
    0001A14C ····································································
    0001A190 ····································································
    0001A1D4 ····································································
    0001A218 ·········Oh·····+’··0···l···········································
    0001A25C ················································(·······4·······@···
    0001A2A0 ····L·······T··············d··················· ···················
    0001A2E4 ····Matthew·································Normal.dot··········Wind
    0001A328 ows·········1···········Microsoft Office Word···@····F·#····@····~··
    0001A36C ····@·······························································

  4. I received one of these with the link pointing to “peakfitness(.)com(.)my/apgetn.php?id=3DdmVuZC1pbkB
    mYXIyZ28ubmV0″ target=3D”. A compromised website, presumably.

  5. Thank you for this, I googled it after I received one and found your article, so didn’t open it. The number that was in my spoof email was a bona fide HMRC number so others beware. Thanks again.

Leave a Reply

Your email address will not be published. Required fields are marked *