Hello, welcome to the Thursday, August 27th, 2020 edition of the Sansaernet Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Today we had an interesting Excel spreadsheet that Xavier came across. It looked very malicious.

Well, it had some macros in it, but had a virus total score of zero, which of course

made it even more suspicious with all of these macros inside.

Kevin Beaumont on Twitter probably had some of the solution here to why this particular Excel spreadsheet had

such a low virus total score. Apparently, it already ran through some kind of anti-malware

security software, which modified these macros so they would actually no longer run.

So in the end, yep, it was probably originally malicious

and yes, the virus total score of zero

was not necessarily a bad thing in the sense

that it no longer executed any of the malicious code.

Now another Twitter user Will did run it through the Thor scanner,

and it actually associated this particular spreadsheet with the OilRick APT,

and this particular Excel spreadsheet was associated with Windows Update.me,

which also is associated with a similar Excel spreadsheet that will found that was named

Mofa VPN.xLS, where MOFA, that may stand for Ministry of Foreign Affairs. So, well, really interesting

what can happen with a more or less random weird Excel spreadsheet. And of course,

thanks to everybody who chimed in on Twitter. And Bit Defender has an interesting write-up how an APT group used a plugin for Autodesk's 3DS Max.

This is software that is used to create 3D models and visualizes them.

So in this particular case, it was used against an architecture firm,

which of course uses software like this in their day-to-day business.

...