SOC114 - Malicious Attachment Detected - Phishing Alert

This alert started vaguely with a suspicious email delivered from an accounting address and attached an invoice for unspecified products/services. I downloaded the attachment for further analysis.

There appears to be a trend - attackers are obfuscating malicious payloads/files within non-malicious folders, the hashes of which threat analyzers like VirusTotal and Hybrid Analysis do not detect. I confirmed this by scanning both the folder and the file contained within. Only the file itself was reported malicious by both services and provided me with some IOCs to be on the lookout for throughout our investigation.

This file appeared to contain a Trojan phishing .exe, which upon further investigation is a vulnerability known to Microsoft and the security community, even having its own CVE (CVE-2017-11882). This vulnerability exploits the Microsoft Equation Editor (EQNEDT32.EXE) to ignore existing Microsoft protections such as DEP and ASLR to trick Office applications into launching insecure sub-processes.

Sandbox analysis would validate my research, showing the EQNEDT32.EXE process to launch a connection with a Canadian IP and associated URL. A VirusTotal scan of the URL confirmed its maliciousness. It was known from the alert information that the email was delivered and opened by the victim. SMTP log analysis confirmed this although network log analysis did not show any network connections with the attacker IP.

Further investigation into the endpoint would prove that a connection had been made with the malicious URL. I looked into the process history and also confirmed that the equation editor had been executed on the host. In response, I quarantined the device from the network, deleted the email, reported my findings and closed the alert.