More Formbook via complicated download chain

A bit of  a complicated and difficult to follow malware campaign this afternoon. It all starts with a typical malspam email pretending to be a new order with a word doc attachment. This involves various Microsoft Equation editor exploits in the chain. CVE-2017-11882 and probably CVE-2017-0199 or another embedded ole exploit New quotation 2019.docx        Current Virus total detections:  Anyrun | The anyrun report shows some sort of login request to gg.gg but I have no idea what or why. This malware doc calls out to http://gg.gg/invoice_doc  which is a short url that goes to http://watchdogdns.duckdns.org/jae/invoice.doc Anyway next step Continue reading →