Fake email “Your Air France boarding documents on 3Aug” contains malicious Word doc


MX Lab, http://www.mxlab.eu, started to intercept a distribution campaign by email with an malicious Word file attached.

This email is send from the spoofed address”Air France <cartedembarquement@airfrance.fr>”, with a reply to address “noreply@airfrance.fr”, has the subject “Your Air France boarding documents on 3Aug” and has the following body:

Airfrance SkyTeam

Attached is your Air France boarding pass.

Attached is your boarding pass in PDF format.

Important information
Your boarding pass in PDF format is only valid when printed. Please print this document and present it at the airport.
Please print your boarding pass in PDF format.

If you are not able to print your boarding pass, please print it at the airport, using a Self-Service Kiosk or at a check-in counter.

Thank you for choosing Air France. We wish you a pleasant flight. This is an automatically generated e-mail. Please do not reply.

AF KLM
Legal notice
Air France is committed to protecting your privacy. Our privacy policy specifies:
how we use the data we collect about you
the measures we employ to protect your privacy.

You will also find the procedure for limiting the use of your data.

The attached file Boarding-documents.docm is 25 kB large and is a Word document with embedded malicous macro.

The Word macro is known as LooksLike.Macro.Malware.g (v), HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN, W97M/Downloader or W2KM_BA.35831666.

At the time of writing, 9 of the 55 AV engines did detect the malicious Word file at Virus Total.

Use the Virus Total  for more detailed information.
SHA256: 1d0131590382a18819c4f3b06017696707298275a4a725beaea8b7a25afbef56

Emails with subject “Report dated/Memo dated/Notification dated/Paper dated 9th June” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with subjects like:

Report dated 9th Jun
Memo dated 9th March
Notification dated 9th June
Paper dated 8th May

This email is send from spoofed email addresses and has the following body:

Be acknowledged that on Tuesday the 6th of May a facsimile was sent to chief accountant .
The given deed has essential information regarding the money abatement procedure .
Please confirm the due reception of the form .
For Your exploration stated paper had been enclosed.
Laura Smith
Chief accountant

This is to inform that on Monday the 7th of April a document was mailed to the director .
The indicated act introduces considerable data regarding the interest refund order .
Could you confirm the secure reception of the form .
For Your comfort stated document has been enclosed.
Jane Jackson
Senior Consultant

We turn Your attention to the fact that on Wednesday the 7th of May a document was forwarded to You .
The mentioned act contains important data dedicated to the interest abatement order .
Could you verify the secure receipt of the facsimile .
For Your easement stated paper is enclosed.
Helen Morgan
Chief accountant

Please be advised that on Wednesday the 6th of May a telecopy has been forwarded to chief accountant .
The described paper introduces considerable information dedicated to the levy refund proceedings .
We ask you to verify the due reception of the file .
For Your exploration the paper had been enclosed.
Sarah Nelson
Tax Officer

The attached file transcript_of_the_forwarded_order.zip contains the 75 kB large file extract_of_the_bank_writ.exe.

The trojan is known as a variant of Win32/Kryptik.DNRN, W32/Waski.A!tr, Trojan-Downloader.Win32.Upatre.ciaj  or Win32.Trojan.Fakedoc.Auto.

At the time of writing, 4 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 0c9b3eeb457f42e772419fbd5bd08adec0266105e469ad017d4848d5cbf94f1b

Another attached file extract_of_the_transmitted_order.zip contains the 75 kB large file pattern_of_the_forwarded_prescript.exe.

The trojan is known as a variant of Win32/Kryptik.DNRN, W32/Waski.A!tr, UDS:DangerousObject.Multi.Generic or Win32.Trojan.Fakedoc.Auto.

At the time of writing, 4 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 53901e5962a5e08560610a8ed1cdf21eb6f417914c501d617c02d909e33069d6

Fake email “Bank query alert” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Bank query alert”.

This email is send from spoofeded email addresses and has the following body:

Good day!
Please note that we have received the bank query from Your bank regarding the current account.
You are asked to fill the appropriate bank form, which is enclosed below, until 20th day of
June in order to avoid the security hold of the account. Please also confirm the following
account No.: 9042 5736 6695 0412. After filling the document please send us the scan-copy
so that we could duly forward it to the bank manager. If you have any questions feel
free to contact us on: 677-77-90.
Thanks in advance.
Best regards, Michael Forester Managing Partner

The attached file Michael.zip contains the 46 kB large file Transfer_blocked.exe.

The trojan is known as Trojan.Win32.Generic.pak!cobra, Gen:Variant.Graftor.198120, Trojan.Win32.YY.Gen.4, LooksLike.Win32.Upatre.g (v) or Downloader.Upatre!gen9.

At the time of writing, 7 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: afa59fea8ed3a059c9de753acc3b98bd70d0ad990f0540f42bede07f945f11da

Fake email “Fax to” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fax to”.

This email is send from a spoofed address and has the following body:

Fax Massege:
Fax ID: 1500566473
User ID: 429286424

The attached file fax-1500566473_429286424.zip contains the 148 kB large file Document_invoice.exe.

The trojan is known as Downloader-FAVN!A43A201F788E, Trj/Genetic.gen, PE:Malware.Obscure!1.9C59 or Win32.Trojan.Fakedoc.Auto.

At the time of writing, 4 the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: ee8aa66263e0c8249903efd4ed467b4666a0e8c7347a52826f786da91d1f247b

Email “Invoice ID” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Invoice ID”.

This email is send from the spoofed address and has the following short body:

INVOICE

Invoice ID: 6568469164
Store id: 9135

The attached file 6568469164_9135.zip contains the 156 kB large file invoice_company.exe.

The trojan is known as PE:Malware.Obscure!1.9C59 or Trojan.Win32.Qudamah.Gen.24.

At the time of writing, 2 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: d09c434a93f4b124a54e84a39c31237bf2b6bce09545e777c7ddb8a55e9afec0

Fake email from Free Mobile with invoice contains malicious Word file


MX Lab, http://www.mxlab.eu, started to intercept a large malware distribution campaign by email with the subject “Facture mobile du 20-05-2015” with similar characteristics as the previous campaign of the 6th May 2015.

This email is send from the spoofed address “Free Mobile <freemobile@free-mobile.be>” and has the following body:

Cher(e) abonné(e),

Veuillez trouver en pièce jointe votre facture mobile
du 20-05-2015, d’un montant de 15.99€ pour la ligne.

Vous pouvez tout moment désactiver la réception de votre facture par email dans votre espace abonné : http://mobile.free.be

Sincères salutations.

L’équipe Free


Free Mobile – SAS au capital de 365.138.779 Euros

The 67 kB large attached file Freemobile_0608490364_20-05-2015.doc (file name may vary) is a Word file that contains a macro that will download other malware.

The Word file is being named as W97M.DownLoader.345, Trojan-Downloader.VBA.Agent (A), Macro.Trojan-Downloader.Agent.EB@gen, Trojan-Downloader.MSWord.Agent.jn, Troj/DocDl-MM or W2KM_DLOADR.CA.

At the time of writing, 6 of the 67 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 8f64e01696b0b00ce4a12d1820f7d0c5d099a0c04dd5e835b29dff12fb393ff0

MX Lab recommends not to open any of the above attached Word files or at least disable macros by default.

Email “Fax 19.05” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fax 19.05”.

This email is send from a spoofed address and has the following short body:

Fax to *****@*****.***

The attached file Fax-5108870.zip contains the 32 kB large file fax_info.exe.

The trojan is known as Evilware.Outbreak, BehavesLike.Win32.Downloader.nm, Downloader.Upatre!gen5 or Trojan.Win32.YY.Gen.0.

At the time of writing, 4 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 84f1ae6ce6c614a962891ff2e2a15241e32232242a5f133ff47c771a2c8bce0e

Follow

Get every new post delivered to your Inbox.

Join 1,551 other followers