While going through emails that were reported by our internal users using Reporter, I came across a particularly nasty looking phishing email that had a .doc attachment. At first when I detonated the sample in my VM, it seemed that the attackers weaponized the attachment incorrectly. After extracting and decoding the shellcode, I discovered a familiar piece of malware that has been used for some time.
more here.......http://phishme.com/decoding-zeus-disguised-as-an-rtf-file/
more here.......http://phishme.com/decoding-zeus-disguised-as-an-rtf-file/