got this email
Link was google drive
Sender: sunringpal33@gmail.com
Subject: A full documents 9674
X-Originating-IP: [209.85.160.196]
Time: 04/09/21 12:43:33
Malware: Phish.LIVE.DTI.URL
URL: hxxps://drive.google[.com/uc?export=download&id=1Z50lnHAW8NKIOL8cvpubm0iaYNHbWqKu
downloaded MD5: fddea65d6393155f25c9fd004e47df83
downloaded Filename: d7653901.docx
which downloads a word doc
Which has another link in it
hxxps://accounting.marayo[.]com/loved.php
Which downloads an Excel doc and redirects to DocuSign
Which the excel doc has macros and looks like this DigiCert fake
Which has a hidden sheet
Which is you change the font color or copy / paste entire contents to notepad++ you'll see the Macro code and a payload url
hxxps://masterize[.]com[.]br/vendor/laravel/framework/src/Illuminate/Foundation/Console/scmcs.exe
wmic.exe
https://drive.google.com/uc?export=download&id=1Z50lnHAW8NKIOL8cvpubm0iaYNHbWqKu
w
