Spear Phishing / Macro Word Document Virus

While on-site at a customer today they mentioned a suspicious email that had just landed in their inbox.

The very interesting thing about the e-mail was the very targeted text in the main body of the e-mail:

From: Robert Reskin <mrspiper@cox.net>
Subject: Steve <SURNAME REDACTED>, Tesimony Summons CASE <COMPANY NAME REDATED> LTD (GB<REDACTED SEEMINGLY RANDOM NUMBERS>)

FORM 50A
Courts of Justice Act
SUMMONS TO TESTIFY (AT TRIAL)

SUMMONS TO WITNESS
TO Steve <SURNAME REDACTED>
YOU ARE REQUIRED TO ATTEND TO TESTIFY IN COURT at the hearing / trial on <COMPANY NAME REDATED> LTD Breach Ref. I-24130284. on 11th April, 2016 , at 11:00, and to remain until your attendance is no longer required. Your case will be before Judge William Ganley
YOU ARE REQUIRED TO BRING WITH YOU and produce at the hearing the following documents and things: Please find the list of documents in the enclosed.
IF YOU FAIL TO ATTEND OR TO REMAIN IN ATTENDANCE AS COMMANDED BY THIS SUMMONS, A WARRANT MAY BE ISSUED FOR YOUR ARREST.

Date 28/04/2016.
This request to appear in court was issued at the request of, and inquiries may be directed to:
(William Ganley, Goldstein, David S. Attorney, 5 Highcliffe Close, EXMOUTH, Devon, EX 8 5HF)
UHN-E 70A (July 1, 2007)

Kind Regards,
Goldstein, David S. Attorney
Robert Reskin.
T.: 0844-9800045.

The attached word document text was far less targeted. The file name was specific but the content within the file was generic. Metadata shows the file was authored only a couple of hours before the e-mail was sent.

The attachment has SHA265 of: 693ac555530ed53cb685824c872a54b3b502e7d8e04d9bf393ba753ec38cb3d7
VirusTotal Report / Malwr Report

AO 88 (Rev. 02/14) Subpoena to Appear and Testify at a Hearing or Trial in a Civil Action

COURTS AND TRIBUNALS JUDICIARY OF THE UNITED KINGDOM
SUBPOENA TO APPEAR AND TESTIFY

AT A HEARING OR TRIAL IN A CIVIL ACTION

for the
__________ District of __________

)
Plaintiff )
v. ) Civil Action No.
)
Defendant )
To:

YOU ARE COMMANDED to appear in the Australia district court at the time, date, and place set forth below to testify at a hearing or trial in this civil action. When you arrive, you must remain at the court until the judge or a court officer allows you to leave.

You must also bring with you the following documents, electronically stored information, or objects

Place: Courtroom No.:

PztHaXA7UNgfkaAj9ByCEHCTcqE8r3JB6KVClcUBpopoyqVPMCf5jJvY7liRVAmBcCGs0 nNLONmXldKQjAgOsSRN3xrDrvFql3AkZYWcM3AdH38 mg5LWxKjYuHQAcfKkI9U4zZSsK8fiXRnOtXyO Date and Time:

The following provisions of Fed. R. Civ. P. 45 are attached – Rule 45(c), relating to the place of compliance; Rule 45(d), relating to your protection as a person subject to a subpoena; and Rule 45(e) and (g), relating to your duty to respond to this subpoena and the potential consequences of not doing so.

Date:

CLERK OF COURT

OR
Signature of Clerk or Deputy Clerk Attorney’s Signature

Notice to the person who issues or requests this subpoena

If this subpoena commands the production of documents, electronically stored information, or tangible things before trial, a notice and a copy of the subpoena must be served on each party in this case before it is served on the person to whom it is directed. Fed. R. Civ. P. 4.

When you run the macro it downloads a further file from:

http://sellerie-western.com/word.exe
Avast, 24 hours later, detects this and prevents download / execution.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s