Hello, welcome to the Tuesday, February 4th, 2020 edition of the Sansonet Storms on a stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Jan came across an interesting malicious document currently being distributed via email.

The initial email actually actually not really all that

significant, just looked like the usual request for quotation style email. The document that was

attached claimed to be a Word document, but was actually an RTF, a rich text format document. Now, with RTF, you essentially now have the

ability to create some of these compound documents with various files. In this particular case,

the attacker choose to embed for Excel spreadsheets and automatically open them as the document is opened.

Reason behind having four Excel spreadsheets is that each one will ask the user to enable

macros. So by being sort of bombarded with these dialogues, they're essentially just hoping

that the user will give up and eventually click one

of the dialog boxes and allow the macros to run.

What's also sort of interesting with the particular Excel macro that of course then is being

loaded is that it is encrypted three times. Now of of course, the keys are included in the message.

So the encryption here is not really done to keep the content secret, but more or less just

to make it more difficult to reverse the particular document and also make it more difficult

for anti-melver to automatically

essentially unpack the malware using the passwords provided. Antomelver may be able

to do this sort of with one layer, maybe two, but of course the third layer was then added

to make it even more difficult for Antimmalware to automatically analyze this particular document.

The end goal here apparently is to install Azo Rult on your system.

...