I was extremely surprised to wake up this Sunday Morning to a whole slew of fake DHL delivery notice emails with a macro enabled word doc attachment that eventually downloads some sort of Keylogger. There is some dispute as to what the actual Keylogger is. Some AV on VirusTotal describe it as an AgentTesla generic, whereas Anyrun app calls it Sentinel. I don’t think either are 100% correct. DHL_FORM.doc Current Virus total detections: Anyrun | This malware doc downloads from https://heritagebank.ga/Quotation.exe ( Virustotal) which is behind cloudflare and also is a phishing site for the genuine heritage … Continue reading →