Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have just tried to open a fake .doc file disguised as a DPD delivery form


  • Please log in to reply
5 replies to this topic

#1 carnivalist

carnivalist

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 26 February 2018 - 07:30 PM

I received a very authentic email purporting to come from DPD informing me of a missed delivery. There was no link to an attachment - instead the email linked to a website identical to that of DPD in every way, except (as I later discovered) the URL was inauthentic. My local DPD is DPD.co.uk not DPD.com

A box in the fake DPD website asked me to enter my postcode. It then gave me a very authentic map of my local DPD depots and opening times, telling me I had various options to receive the parcel - redelivery etc. One of the options was collection, which I decided to pursue. In order to do this the site asked me to download a collection form.

Too late I learned that this was one of the apparently infamous fake doc files. On opening, it iformied me it was a protected file and asked me to open it in MS Office and to enable macros/editing and click on specific buttons etc. However as I only have OpenOffice I couldn't do any of this as the indicated buttons etc did not seem to be available it that application..

In order to try and open it I set macro security in OpenOffice options to the lowest level. It still wouldn't show me the supposedly hidden content (in other words there was no change in the appearance of the .doc file) so I updated both OpenOffice and Java and attempted to open it, but I still couldn't see any content.

 

Despite stumbling around various menus trying to load macros from various libraries and so on I never managed to see whatever protected content may or may not have been in the .doc file. (I can't remember exactly what I did as I don't understand the process and was getting frustrated at my inability to read the file as I actually am expecting a number of deliveries).

Zemana antilogger showed no infection. On opening Malwarebytes anti-rootkit a message said "appinit.dll" had been detected "which may indicate the presence of rootkits". I don't recall seeing this before. However the subsequent scan showed no problems. I will run an Avast boot-time scan when I restart my computer.

Did the fact that the document didn't seem to display protected content in OpenOffice protect me from infection, even though I set macro security to low and so on? How would I know if any of the bad macros actually ran?

 

Am I likely to have been infected and if so what should I do? Change all stored passwords? All passwords even if not stored? Change bank details I may have used before I downloaded this .doc file? I haven't logged into anything apart from email and this site since I tried to open the bad file.

If I performed a clean reinstall, would non-executable files (music, video, images, text etc) already on my hard disk or on a connected external drive be safe to copy to an external drive before reinstallation, or could they have been contaminated? Most such files stored on the computer itself are on a separate partition to the OS.

 

Apologies if I've posted in the wrong forum or broken any other protocol. I read through the posting guidelines, but didn't see any that indicated I shouldn't have made this post here.

Thanks for any advice.



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 AM

Posted 27 February 2018 - 01:37 PM

Please submit the .doc file to VirusTotal and report the report link back here, I will have a look at it.

In case you are not familiar with submitting to VirusTotal, you canwatch my video:

 

 

Most likely this is a .doc file with VBA macros, and that will not execute in OpenOffice. So your machine is OK.

But it's better that I have a look.


Edited by Didier Stevens, 27 February 2018 - 01:37 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 carnivalist

carnivalist
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 28 February 2018 - 06:48 AM

Thanks for the reply Didier.

 

I don't have the file anymore. However I submitted the URL of the fake DPD site with the link to download the infected file to myonlinesecurity.co.uk.

 

They had a look and confirmed your supposition that it was a VBA macro that does not run under OpenOffice - in fact they said it only runs under certain versions of MS Office and not the Home editions. Apparently it was a new one that operates in a slightly different way than they had seen before, so they submitted it to various antivirus labs.

 

I don't have the infected file and there is no way to retrieve it as DPD had the fake website taken down.

 

Thanks again anyway. Your willingness to help is greatly appreciated.


Edited by carnivalist, 28 February 2018 - 06:50 AM.


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 AM

Posted 01 March 2018 - 06:12 PM

I was able to find the document on VirusTotal.

It is indeed an MS Office document with VBA macros.

 

It will run on every version of MS Office though. The warning that is displayed regarding "MS Office Professional license" is a fake warning, when you see this warning, the malicious VBA code has executed.

https://twitter.com/DidierStevens/status/968969310243876864


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 carnivalist

carnivalist
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 03 March 2018 - 07:38 AM

Thanks for that useful info. I've passed it on to the guys at myonlinesecurity.

 

Regards.



#6 dvk01

dvk01

  • Malware Response Team
  • 129 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 03 March 2018 - 09:50 AM

Thanks Didier for confirming the error message was fake

The chain of infection is listed on https://myonlinesecurity.co.uk/fake-dpd-get-your-package-delivers-malware/






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users