I received a suspicious email about a cancelled bpay transaction. It was tied to an email address of mine that has NEVER been used in a bpay transaction, so of course I didn't open it. It had a zip file attachment containing a word document (specified in the body of the email), so I fired up a linux VM, transferred the zip file to /home, and opened it with ark.
As expected, there was a word document titled BillPay cancelled payment_95073.doc, so I fired up LibreOffice Writer to take a look. Interestingly, the zip file said "bpay" while the document said "billpay" - which is a bill-paying service of Australia Post.
Anyway, LO Writer warned me about the (expected) macros, and disabled execution. I went to the macro editor to take a peek at the code - which was mostly beyond my skills (I haven't done any Word coding for years), but I saw some things which set the alarm bells ringing, such as the autoopen module, constructing strings of windows pathnames from parts (e.g. "\app"+"data\lo"+"cal\t"+"emp"), obviously intended to obfuscate and not trigger malware scanners.
I submitted it to virustotal and jotti's, but both returned negative. Then I sent it to hybrid-analysis.com and got a "malicious" flag. Here's the URL for the analysis, if anyone's interested:
My question is "what next"? Should I submit it anywhere else, or just delete the whole thing and get on with my life? I have a Windows XP VM, but I don't particularly want to fire that up and let the macro execute just to see what sort of trouble it causes.