Macro enabled .slk malware distribution

I came across a nasty campaign which utilizes macro enabled .slk "Excel" file attachments.

Here's the email, sans any identifying information

There's no grammar errors but we do have some odd wording common to phishing campaigns: kindly verify, with gratitude.

It's unlikely that someone is going to send a business invoice from a hotmail.com address, which is a big indicator that this is bad.

The Excel icon for the attachment is quite convincing. slk is a Symbolic LinK file, which is used to exchange data between spreadsheets and various other software.

The sheet opens to a pretty standard looking "Enable macros to view content" message, common to macro enabled maldocs.

Here's a snip of the code in the .slk

It appears to be using EEXEC to open a command prompt to load the hxxp://phpimagehost dot com page. From this page,  aGNEs.bat is downloaded in to the local %temp% folder. EEXEC is used again to run the aGNEs.bat. This is where malware would be loaded on to the target system.

I didn't enable macros, so I didn't see the end result. MalwareHunterTeam found that the payload was the NetSupport Manager RAT, which can give someone full access to the affected system.

Here's the whois for that domain

It's noteworthy that the domain was registered on 3/4 and the phish was on 3/5. The phpimagehost page has already been taken down.

At my company we disable macros in macro enabled Excel and Word files from online sources. This attack wouldn't have executed. Moving forward, we may block all emails with .slk attachments since some employees do have to enable macros.

VT results from the .slk attachment