Reader Vinnie submitted a malicious document, including his analysis of this document. Great job!
Here is his analysis (we're publishing some parts as pictures, to avoid triggering anti-virus when you view this diary entry):
Host performing SQL injection scanning also hosting Emotet Maldoc.
Junos Attack log <35.190.186[.]53/56354->X.X.X.X/80> HTTP-SQL-INJ
Host 35.190.186[.]53 GEO DATA (53.186.190[.]35.bc.googleusercontent.com, Google Provider, Virginia US)
File name: 190220-Pay_receipt-747585655.doc
Similar files hosted on sites:
String 'shell' & Base64 encoded command in VBA compressed macro found in stream 8. Shown with yara rule below.
python ~/Documents/oledump.py -y#s#'shell' ~/Downloads/190220-Pay_receipt-747585655.doc.vir
1: 114 '\x01CompObj'
Variables defined in Function from stream 8:
Post Infection Traffic from EXE found at hxxp://51.15.113[.]220/2sT3beRO4:
Feb 27th 2019
3 weeks ago