#1243181: Some changes to malicious RTF docs delivering Hawkeye

Description: I am seeing a bit of changes today from the scumbags who are distributing the Hawkeye Keylogger Trojan. The email template is a typical fake Purchase Order with a malicious word doc attachment. The word doc is actually a RTF that uses the CVE-2017-11882 equation editor exploits. Where the changes come is the obfuscation or encoding of the rtf file that makes analysis slightly more complicated and is intended to bypass existing detections from antiviruses & network perimeter defences.

This malicious RTF / Word doc has 87 pages of pure garbage displayed. The first page is blank, then dozens of pages of pure garabage, then a few pages of what looks like Vietnamese writing then more garbage.

They are using email addresses and subjects that will scare, shock, persuade or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.

It is very likely that there will be numerous different versions of this malware delivery campaign, using a large range of spoofed sender names, companies & email addresses. None of the alleged senders been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.

This particular version spoofs a Taiwan supplier of catering equipment.

The email looks like:

From: stephanychang@unitech-e.com.tw

Date: Fri 11/01/2019 03:14

Subject: Re: Purchase Order

Attachment: 30% Payment.doc

Body content:

Dear ,

Please be advised that we have arranged the payment to you. Please see below details.

Po# UF-181217 30% down payment $ 5960.77

Shortage of invoice no. 0000098828 CAD$ 14.00

Total: CAD 5974.77

Thank you and best regards,

Stephany Chang

Assistant – International Business Dept.



8F-2, No. 348, Sec. 6, Nanjing E. Road, Nei Hu dis, Taipei, 11470 Taiwan

Tel: +886-2-27922788 ext. 206 ¦ Fax: +886-2-27921213

E-mail : stephanychang@unitech-e.com.tw ¦ www.unitech-e.com.tw

Fake Purchase order email

Fake Purchase order email

30% Payment.doc Current Virus total detections: Anyrun |

This malware word doc /rtf file contacts http://bit.ly/2D1Ob77 where it is redirected to download from http://aoiap.org/q.png which is not any sort of image file but a renamed .exe ( VirusTotal)

Email Headers:
IP Hostname City Region Country Organisation Janduis Rio Grande do Norte BR AS265249 NETMAIS TELECOMUNICACOES ip-129-50.dataclub.eu Meppel Provincie Drenthe NL AS203557 DataClub S.A.

Received: from [] (port=54438 helo=srv01.sounetmais.com.br)
by my email server with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <stephanychang@unitech-e.com.tw>)
id 1ghnLY-0004m6-IY; Fri, 11 Jan 2019 03:19:02 +0000
Received: from [] (helo=IP-129-50.dataclub.eu)
by srv01.sounetmais.com.br with esmtpa (Exim 4.84_2)
(envelope-from <stephanychang@unitech-e.com.tw>)
id 1ghnIP-0007Jq-RP; Fri, 11 Jan 2019 01:15:48 -0200
Content-Type: multipart/mixed; boundary="===============1908145895=="
MIME-Version: 1.0
Subject: Re: Purchase Order
To: Recipients <stephanychang@unitech-e.com.tw>
From: stephanychang@unitech-e.com.tw
Date: Fri, 11 Jan 2019 05:14:29 +0200
Message-Id: <E1ghnIP-0007Jq-RP@srv01.sounetmais.com.br>

First Aid: IOC:

30% Payment.doc
MD5: 68766f2b8cfa7d033a76c6dbcb726c92
SHA-1: 733bbe6fe972f7d45aab03169d43e99a3b4fbd9f
Download URLs
MD5: 2a2f7f73bc1367e40c096e81afdd0ebe
SHA1: aba451f21b4ccdcaa7325f71f3c6f733738ab6e8
More info: https://myonlinesecurity.co.uk/some-changes-to-malicious-rtf-docs-delivering-hawkeye/?utm_source=hs_email&utm_medium=email&utm_content=68920458&_hsenc=p2ANqtz---caniP9fVeMxcUv4oKSNmzfOvckI5GyHNkKbHBAzyMdIZdbujvuuhvQ9x4crJGloRPiwhIMwG9U_vJWEKhN004cUiOgiDDJbzteVRusBvjr1hl3k&_hsmi=68920458

Date added Jan. 11, 2019, 3:19 p.m.
Source My Online Security
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • HawkEye keylogger/stealer/ HawkEye Reborn v9
  • Microsoft Word
  • Phishing Alerts - Non-Banking
  • Scam/Fraud/Hoax Alerts
  • Spear Phishing / spearphishing / Angler Phishing / Whaling / CEO Fraud / W2 Fraud
CVE CVE-2017-11882