Ran it through LibreOffice to extract anything, but I’m not an expert. Only thing I saw was a suspicious macro: https://pastebin.com/5Mdfjy3m <https://pastebin.com/5Mdfjy3m>
Submitted to Talos, so if they find something more, I hope it helps. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 > On Nov 9, 2017, at 7:26 PM, Al Varnell <alvarn...@mac.com> wrote: > > On Nov 9, 2017, at 3:23 PM, Eric Tykwinski wrote: >> Does anyone know if the DDE payloads in Word documents are getting caught? >> >> I had a customer with a very strange virus, basically it downloaded his >> inbox and was responding to recipients with an attached Word document. >> This was coming from a botnet with the "EHLO localhost” signature. Spam >> filters are catching them from SPF, and I haven’t yet analyzed the >> attachment, so it might just be junk. >> >> Sincerely, >> >> Eric Tykwinski > > For those who have not seen the warning: > https://technet.microsoft.com/en-us/library/security/4053440.aspx > > > Sent from my iPhone > > -Al- > -- > Al Varnell > Mountain View, CA_______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml