Update: I determined that the user downloaded an email containing a Word file attachment that was infected. I won't attempt to upload the file here. When opened in Word 2010 it displays a simple message claiming that the file was created in an earlier version of Word and the user should click various buttons in Word to enable it. I assume the user did so, and then was shown a link that she clicked to access the nasty URL I posted earlier.
With everything that was contained in that attachment, I believe avast! should have detected it as malicious and deleted it when the user tried to open it, as it usually does with malicious attachments.
I uploaded the Word file to VirusTotal, and it was flagged by multiple engines. This is the analysis that VirusTotal provided:
History
Creation Time
2018-04-19 18:59:00
First Submission
2018-12-17 17:55:01
Last Submission
2018-12-17 17:55:01
Last Analysis
2018-12-17 17:55:01
File names
• QSMINC.doc
OLE Compound File Info
Commonly Abused Properties
• May try to run other files, shell commands or applications.
Makes use of macros
Macros and VBA code streams
ThisDocument.cls
run-file
Summary Info
application name
Microsoft Office Word
character count
2
code page
Cyrillic
comments
Face to face dynamic projection
creation datetime
2018-04-19 19:59:00
edit time
180
last saved
2018-12-17 11:32:00
page count
1
revision number
11
security
0
subject
Hawaii Assunta
template
Normal
title
Ameliorated dedicated service-desk
word count
0
Document Summary Info
byte count
23552
characters with spaces
2
code page
Cyrillic
company
Jacobson Inc and Sons Rosalia Barton
hyperlinks changed
false
line count
1
links dirty
false
manager
Darrell Ondricka
paragraph count
1
scale
false
shared document
false
version
1048576
OLE Streams
•
• Root Entry
• • CompObj
• • DocumentSummaryInformation
• • SummaryInformation
• • 1Table
• • Data
• • Macros/PROJECT
• • Macros/PROJECTwm
• • Macros/VBA/ThisDocument
• • Macros/VBA/_VBA_PROJECT
ExifTool File Metadata
AppVersion
16.0
Bytes
23552
CharCountWithSpaces
2
Characters
2
CodePage
Windows Cyrillic
Comments
Face to face dynamic projection
CompObjUserType
Microsoft Word 97-2003 Document
CompObjUserTypeLen
32
Company
Jacobson Inc and Sons Rosalia Barton
CreateDate
2018:04:19 18:59:00
DocFlags
Has picture, 1Table, ExtChar
FileType
DOC
FileTypeExtension
doc
HeadingPairs
Title, 1, , 1
HyperlinksChanged
No
Identification
Word 8.0
LanguageCode
Russian
LastPrinted
0000:00:00 00:00:00
Lines
1
LinksUpToDate
No
MIMEType
application/msword
Manager
Darrell Ondricka
ModifyDate
2018:12:17 10:32:00
Pages
1
Paragraphs
1
RevisionNumber
11
ScaleCrop
No
Security
None
SharedDoc
No
Software
Microsoft Office Word
System
Windows
Template
Normal
TotalEditTime
3 minutes
Word97
No
Words
0
