Phishing Campaign using malicious documents pretending to be from XEROX Color Multi-function Machine

Posted by & filed under Ειδοποιήσεις.

National CSIRT-CY would like to inform the general public about a new Phishing campaign which sends emails containing a WORD document file where it pretends to be a scanned document by XEROX Color Multifunction machine.

The sender’s e-mail is: with an IP address

If you have received the following email, please DO NOT open the attached file because it contains malicious code.
If the attached file has been opened, please contact us as soon as possible.


Malicious file Analysis


1. File Details

Type: Rich Text Format data, version 1, unknown character set

File Name: Declaration_Report.doc

Size: 2043 bytes

MD5: cb307598c0a29e5e4b7f70d15344adf6

SHA1: 4c0f7c2f0ab689f908c5f64e8ad6101f41e8566c

SHA256: a7a8454f6e10f378669affe3c7f2a7d6e6e6047b37e4f90e3c79e34a14a2520f

SHA512: 77489ea8fb9ec5643ca44410cc40cfb5ae971e15050433fa23c29562d2471b7d78401a698a35d1aa6b8f3c6722c070ca22fd7dc5d3b626cf62a4b48b7c35bf4e


Malware Tags

  • Exploit
  • CVE-2017-11882
  • OpenDir
  • Loader
  • Keylogger
  • Hawkeye
  • Stealer
  • Evasion
  • Trojan

2. Behavior Activities



3. Behavior Graph


4. Network Activity


HTTP requests




DNS Requests