Fortinet researchers have made an unusual find: a malicious Word file that is meant to target both OS X and Windows users.
As has lately become the norm, when opened, the file requests users to enable macros in order to see its contents. If the user does that, it allows the file to execute executing malicious VBA (Visual Basic for Applications) code.
The code calls a function, which extracts, decodes and runs an encoded Python script from the Word file’s comments. The script takes different routes depending on the operating system:
If it’s run on OS X, it will move to download another Python script from hxxps://sushi.vvlxpress.com:443/HA1QE, and that script will try to connect to the host sushi.vvlxpress.com on port 443.
At the moment, the server is not answering these requests, but it might in the future. Still, the python process continues with its work and attempts to contact the server.
If the script runs on Windows, it will ultimately start PowerShell, run two PowerShell scripts one after the other, and download a file from hxxps://pizza.vvlxpress.com:443/kH-G5.
The file is a 64-bit DLL file that communicates with that server, but it is still unknown what else it does. Still, you can be sure its intentions aren’t good.
The malicious Word file is currently flagged by nearly half of the malware engines used by VirusTotal.
The researchers have shared indicators of compromise for cyber defenders to use. As always, end users are advised to think long and hard before enabling macros.