Something slightly different to start with this morning. There is nothing special about the email lure, but the attached word doc seems to be a bit different to the ones we are used to seeing with equation editor exploits. I don’t know if this is a different or unknown exploit using Microsoft Equation editor or whether it has anti-sandbox / Anti-VM protections. It definitely behaved very differently to the usual behaviour in the online sandboxes. Neither Anyrun nor Hybrid analysis were initially actually able to retrieve any working malicious content, although they did both show the initial download link ( … Continue reading →