2010.08.01 08:15 Hayao Miyazaki
2014.08.06 22:57 iloverust A Place for All Things Electrochemical
2019.06.29 18:52 ayejit Race Pill Science
2020.11.23 20:06 InQuestLabs d7897e83397b516dd80147df24cce46197388b84bbb8365b2adfe85d743df540
This post is a quick look at the following document which popped up on our RADAR today as "interesting":
Purports to be an invoice as depicted here but in actuality leads down a chain of pivots that results in the installation of a malicious Windows service pretending to be a McAfee AV Update task. The execution chain is as follows: Document to Remote Template to HTA to DLL.
Unzipping the OOXML file and examining the relative links (defanged), we see a remote inclusion of a template on a CloudFront domain. This is already quite suspect:
The template referenced above is available on InQuest Labs:
Use the following link to highlight interesting lines from the macro, within the template, also depicted below. Note that there's a number of pre-written filters available in the dropdown here.
Filtered Macro Lines
Note that the macro is seemingly going to install a new service, pretending to be a McAfee update service. That service appears to be defined by whatever is behind the following pivoting to another resource behind that same CloudFront domain:
The retrieved file is an HTA application that in-turn contains two base64-encoded embedded payloads. First, let's look at the top of the HTA file which moves the window off-screen to hide from the user: