In my previous post, I was (not so) politely asking DocuSign to admit e-mail addresses leaking.
Finally, they did! They posted Update 5/16/2017 - Update on Malicious Campaign.
Q: What information was impacted?
A: It was a list of email addresses stored in a separate, non-core system used for service-related announcements.
That is something they should have done a week ago, but I guess we have to settle with that.
Btw. I got my hands on the payload VB:Trojan.VBS.Downloader.ACR as named by F-Secure. As many have reported before, it's a MS Word document with a macro in it. The VBA-thingie de-obfuscates a "picture" embedded into the .doc
and injects that directly to memory to be executed. I really didn't want to waste the ton of time investigating the actual malware, its bad, I know that without looking. Its just another reminder of how dangerous the VBA-macros are, they can call any system call from Windows kernel and do really complex hacks, like any real executeable would do.