> Okay, great, thanks. Can you describe the risk for me? What does it do, > and what's necessary for the user to do to become infected? It appears to > be a rogue link phishing attack? So it requires the user to open the Word > doc then click the link, correct?
Hi Alex, 1. I used strings on the doc file... ----(rot13 below)--- Nhgb_Bcra nhgbBcra JBexobbx_Bcra \UJVCTZDKMBU.fpe uggcf://qy.qebcobkhfrepbagrag.pbz/f/87pfejq4j7o6e09/pnyp.rkr?qy=1&gbxra_unfu=NNTt8WbYmal7GDikp4Vlq7NcK_Ls9sP9-9u67kIRnboKbN&rkcvel=1402160255 uggc://oneavrsvyz1996.eh/vzt.rkr \UJVCTZDKMBU.fpe -------------------- Which isn't looking good... 2. Quick check... https://malwr.com/analysis/MWZmZjk5OTZmNDk1NGZkYzk3YTVmODcxNDE0ZDU5OGY/ So, looks like there might be some user input needed to actually run it, but best it's blocked anyway. Cheers, Steve Sanesecurity _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
