One of my friends from Bangladesh @rudr4_sarkar sent me this link to analyze which leads to a Word document.
http://mozillatm.com/A0Jst6jAd7CYerrqFmwb4wqDLa5XHPW_May_2017.doc
I figured out that this was the CVE-2017-0199 exploit. It was simple to find the payload.
b = '00000068007400740070003a002f002f006d006f007a0069006c006c00610074006d002e0063006f006d002f006c006f006100640069006e0067002e00680074006d006c00000000' "".join("{0}".format((i+j).replace('00','').decode('hex')) for i, j in zip(b[::2], b[1::2])) >> 'http://mozillatm.com/loading.html'
This exploit will deliver a malicious HTA file and execute it. HTA means IE, so yeah VBScript will execute nicely.
(more…)