HomePhabricator
DON'T! "View attachment to avoid."
I opened the Microsoft Word doc so you don't have to.

Suspicious Emails

Just the other day, a message was sent to one of Karen's addresses with a warning about a credit card charge and an attached, encrypted Word document called Scan_karenk.

Hello karenk,

You will be charged USD 2,126.81 on your personal Visa card shortly.
View attachment to avoid.
Password is 5558

Kind regards,
Rocky

Today, we received another:

Hello karenk,

You will be charged USD 1,056.04 on your personal Visa balance immediately.
Take a look at the attachment to avoid.
Password is 5558

Sincerely,
Otis

They were from email addresses with .ru on the end (Russia) and actually from Russian mail servers.

Preparing to open it

Microsoft Word 2010 Trust Center
I decided to open it, but wasn't going to do it on my machine. Instead, I downloaded a Linux Mint live CD because it had LibreOffice already installed.

LibreOffice disabled the macro, as Microsoft Word would have, because the default security setting forbids running startup macros when opening a document from an untrusted source.

Here's what was inside

CAN’T VEIW? MICROSOFT RECOMMENDS THE BELOW STEPS

  1. Open the document in MS Office. Previewing online does not work for protected documents.
  2. Use a PC/Desktop. Protected document doesn’t work on a mobile phone.
  3. Since you have downloaded this document Online, you will need to click “Enable Editing” or “Enable Macro” and then click “Enable Content” on the yellow bar, which may be shown to you.

Do not enable editing

If you do enable editing, then this macro does its thing on you: it downloads svchost.exe, saves it, and runs it.

The file is downloaded from a secret, dark web, .onion server, a type of server people usually must install a Tor client to access. Thanks to Backbone Telecommunications of Singapore's onion.link portal, the virus can download the code without exposing their home base, no Tor client required.

I didn't run the program, but here is what Karen's Version Browser displays for the downloaded, svchost.exe file:

Using 7-Zip, I opened the file as an archive, and found:

The outer executable extracts and runs a Nullsoft Scriptable Install System installer which then, I presume, installs and registers the DLLs from the $PLUGINSDIR. I don't know what happens to you after that.

No Threat Detected: Windows Defender Antivirus

Since Windows Defender didn't detect a threat, I did the manual submission thing.

Windows Defender Security Intelligence Team

I sent svchost.exe to Microsoft. Here is their summary so far (it's been an hour):

VirusTotal Detected Threat

VirusTotal inspects items with over 60 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal.

My results can be found here:
https://www.virustotal.com/#/file/c559dcbfb4741664136d5f944ae8c9f12a425a0833de8994410ef9bef5b8e405/detection

Written by Joe on Nov 7 2017, 10:50 PM.
User
Projects
None
Subscribers
None

Event Timeline