Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Fri, Feb 24th):#SHA1 Collisions Found; Mirai Botnet Arrest

Latest Diaries

It is Tax Season - Watch out for Suspicious Attachment

Published: 2017-02-26
Last Updated: 2017-02-26 00:28:05 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

This week I received an email looking very realistic with a Word document that made it through the AV gateway from the Canadian Revenue Agency, it is tax season after all and everyone must be extra vigilant. The Word document got me curious since it is from CRA and named SecureDoc.doc, after all, when you hear SecureDoc you think of WinMagic[1], in this case, it has no relation.


I examined a copy of the file using Didier Stevens oledump.py[2] to find out if there was anything I could get from this file. I dumped the content and saw it contains 3 macros (identified by the M).


I checked each of the macro sections 12, 13 & 14 and 13 displayed strange results similar that the results of this sandbox[3].


And last I check for and PE files in the document with no avail. The file is malicious and is detect by 23/55 AV engine on Virustotal.


[1] https://www.winmagic.com
[2] https://blog.didierstevens.com/2014/12/17/introducing-oledump-py/
[3] https://www.hybrid-analysis.com/sample/caec8c4e5cfbc59b34bd64b87cec0f10bcfecee11a79f05d9a2e37c26230ca9d?environmentId=100
[4] https://www.virustotal.com/en/file/fcd0eef7dec8141df9704da6fcf6543d6b18526ef2944b2a225b36883c7a0b4a/analysis/1487945938/

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: CRA Macro VBA
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Unpatched Microsoft Edge and IE Bug
Feb 25th 2017
1 day ago by Guy (0 comments)

Cloudflare data leak...what does it mean to me?
Feb 24th 2017
2 days ago by Rick (3 comments)

Practical collision attack against SHA-1
Feb 23rd 2017
3 days ago by Rick (4 comments)

Quick and dirty generic listener
Feb 22nd 2017
4 days ago by Jim (0 comments)

Microsoft Patch Tuesday, or is that "Patch Next Tuesday"? - Flash Player RCE patched today
Feb 21st 2017
4 days ago by Rob VandenBrink (1 comment)

2 Apple Updates Today as Well - GarageBand and Logic Pro X
Feb 21st 2017
4 days ago by Rob VandenBrink (1 comment)

Investigating Off-Premise Wireless Behaviour (or, "I Know What You Connected To")
Feb 21st 2017
4 days ago by Rob VandenBrink (6 comments)

Hardening Postfix Against FTP Relay Attacks
Feb 20th 2017
6 days ago by Johannes (2 comments)

View All Diaries →

Latest Discussions

The format of BGP messages with routeviews
created Feb 22nd 2017
4 days ago by samara (0 replies)

Platform Markings on Headlines
created Feb 9th 2017
2 weeks ago by Anonymous (0 replies)

Automation Software, Consultant or Both?
created Jan 25th 2017
1 month ago by Anonymous (1 reply)

Importance of File Integrity Monitoring software
created Jan 18th 2017
1 month ago by Promisec (0 replies)

New Incident Response/Forensics tool : srum-dump.exe
created Jan 12th 2017
1 month ago by Mark (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Dyn.com DDoS Attack
Oct 21st 2016
4 months ago by Johannes (9 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
1 week ago by Johannes (7 comments)

Critical Vulnerability in Cisco WebEx Chrome Plugin
Jan 24th 2017
1 month ago by Johannes (10 comments)

Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
Nov 29th 2016
2 months ago by Johannes (21 comments)

How was your stay at the Hotel La Playa?
Feb 18th 2017
1 week ago by Xme (7 comments)