July 28, 2015 1 Comment
MX Lab, http://www.mxlab.eu, started to intercept a distribution campaign by email with an malicious Word file attached.
This email is send from the spoofed address”Air France <email@example.com>”, with a reply to address “firstname.lastname@example.org”, has the subject “Your Air France boarding documents on 3Aug” and has the following body:
Attached is your Air France boarding pass.
Attached is your boarding pass in PDF format.
Your boarding pass in PDF format is only valid when printed. Please print this document and present it at the airport.
Please print your boarding pass in PDF format.
If you are not able to print your boarding pass, please print it at the airport, using a Self-Service Kiosk or at a check-in counter.
Thank you for choosing Air France. We wish you a pleasant flight. This is an automatically generated e-mail. Please do not reply.
how we use the data we collect about you
the measures we employ to protect your privacy.
You will also find the procedure for limiting the use of your data.
The attached file Boarding-documents.docm is 25 kB large and is a Word document with embedded malicous macro.
The Word macro is known as LooksLike.Macro.Malware.g (v), HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN, W97M/Downloader or W2KM_BA.35831666.
At the time of writing, 9 of the 55 AV engines did detect the malicious Word file at Virus Total.
Use the Virus Total for more detailed information.