Fake email from Free Mobile with invoice contains malicious Word file


MX Lab, http://www.mxlab.eu, started to intercept a large malware distribution campaign by email with the subject “Facture mobile du 20-05-2015″ with similar characteristics as the previous campaign of the 6th May 2015.

This email is send from the spoofed address “Free Mobile <freemobile@free-mobile.be>” and has the following body:

Cher(e) abonné(e),

Veuillez trouver en pièce jointe votre facture mobile
du 20-05-2015, d’un montant de 15.99€ pour la ligne.

Vous pouvez tout moment désactiver la réception de votre facture par email dans votre espace abonné : http://mobile.free.be

Sincères salutations.

L’équipe Free


Free Mobile – SAS au capital de 365.138.779 Euros

The 67 kB large attached file Freemobile_0608490364_20-05-2015.doc (file name may vary) is a Word file that contains a macro that will download other malware.

The Word file is being named as W97M.DownLoader.345, Trojan-Downloader.VBA.Agent (A), Macro.Trojan-Downloader.Agent.EB@gen, Trojan-Downloader.MSWord.Agent.jn, Troj/DocDl-MM or W2KM_DLOADR.CA.

At the time of writing, 6 of the 67 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 8f64e01696b0b00ce4a12d1820f7d0c5d099a0c04dd5e835b29dff12fb393ff0

MX Lab recommends not to open any of the above attached Word files or at least disable macros by default.

Email “Fax 19.05″ contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fax 19.05″.

This email is send from a spoofed address and has the following short body:

Fax to *****@*****.***

The attached file Fax-5108870.zip contains the 32 kB large file fax_info.exe.

The trojan is known as Evilware.Outbreak, BehavesLike.Win32.Downloader.nm, Downloader.Upatre!gen5 or Trojan.Win32.YY.Gen.0.

At the time of writing, 4 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 84f1ae6ce6c614a962891ff2e2a15241e32232242a5f133ff47c771a2c8bce0e

Fake email Invoices April 2015 with attached malicious Word file


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

Financial information: Invoices April 2015
Important notice: Invoices April 2015
Important information: Invoices April 2015
Need your attention: Invoices April 2015

This email is send from the spoofed address and has the following body:

Congratulations
Hope you are well

Please find attached the statement that matches back to your invoices.

Can you please sign and return.

Robin Wolfe

Dear Sir/Madam,

I trust this email finds you well,

Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email us.

Best Regards,

Sophia Watts
Accounts Receivables

Good morning

Hi,
Please find attached a recharge invoice for your broadband.

Many thanks,
Tabatha Murphy

The 49kB large attached file is named veizaioj_87B9A16BB5.doc (characters will vary) is a malicious Word file with embedded macro that will download other malware on the system.

The Word file is labelled as Malware!9f6e by 1 of the 57 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: fbc58f82f9231d8ee7598aa7da82a2f67e5f8d85297bd12373a5f2f29e738314

MX Lab recommends not to open any of the above attached Word files or at least disable macros by default.

Multiple malware campaigns using malicious Word macro files to infect systems


MX Lab, http://www.mxlab.eu, started to intercept multiple malware distribution campaigns were a Word file with a malicious macro is used to download trojans and infect a system. Here is an overview:

HP Digital Sending device

This email is send from the spoofed address similar to “HP Digital Sending device <HP394036@localhost>”, has no subject and has the following body:

Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.

The attached file is named Document.doc. The malware is known as Trojan-Downloader.VBA.Agent.nr (v), Macro.Trojan-Downloader.Agent.EB@gen or W97M/Downloader.agv.

At the time of writing, 5 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 5ed8cad4b73d30dfb7ee4767d213b32d5897c3e323e1b84f6b99e49a2d5f081a

Invoice #00044105; From Deluxebase Ltd

This email is send from the spoofed address “Anna <anna@deluxebase.com>” with the subject “Invoice #00044105; From Deluxebase Ltd” and has the following body:

Hello

Thank you for your order which has been dispatched, please find an invoice for the goods attached.
Please contact us immediately if you are unable to detach or download your Invoice.
As a valued customer we look forward to your continued business.

Regards
Accounts Department
Deluxebase Ltd
UK Phone: 01482 880050
UK Fax: 01482 883225
International Phone: +44 1482 880050
International Fax: +44 1482 883225
accounts@deluxebase.com
http://www.deluxebase.com

The attached file is named ESale.doc. The malware is known as Trojan-Downloader.VBA.Agent.nr (v), Macro.Trojan-Downloader.Agent.EB@gen, W97M/Downloader.agv.

At the time of writing, 5 the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 7f57dc1d3abd0f7240a92e34a07a46cdf1b3f8c8b60b4bbbafd348cfd893237f

Financial information

This email is send from spoofed email addresses has the subject “Financial information” and has the following body similar to:

Good morning

Please find attached a remittance advice, relating to a payment made to you.

Many thanks

Regards,

Sallie Ray
Seniour Finance Assistant

The attached file is named sqkocfkqw_AC03100AA984.doc (name will vary).

At the time of writing, none of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 432c2969c7aef3561bb3d997c36dc887c36fba972c938f39994afdb2ab41a80e

Important information

This email is send from spoofed address, has the subject “Important information” and has the following body similar to:

Good Afternoon,

Please see attached the copy of the remittance.

Please can you send a revised statement so we can settle any outstanding balances.

Kind Regards,

Rosa Chapman

The attached file is named 9f652096_414CE6CB87E2.doc (name will vary).

At the time of writing, none of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 32236980886eb0e924fac16abf1be0a0c2bec2bb33215e9d231c81abe7509d21

MX Lab recommends not to open any of the above attached Word files or at least disable macros by default.

Emails with subject Part 0, Part 1, Part 2, Part 3,… contains Trojan/Win32.Upatre


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject like:

Part 0
Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9

This email is send from spoofed address and has the following very short body:

I will send final part also

The attached file 9ZENF7xtLTtz.zip contains the 48 kB large file part_DGStyutyuertQ34G_xpdf.exe. The combinations in the filenames will vary with each email.

The trojan is known as Trojan/Win32.Upatre, W32/Upatre.E3.gen!Eldorado, TR/Crypt.ZPACK.Gen or Downloader.Upatre!gen9.

At the time of writing, 9 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: b69e2ba2cb7b7d901060366ef0876a00894733d2e028d6fb38e9d5bc112e20fe

Email CITY OF PORT Arthur – STORM SEWER Project contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “CITY OF PORT Arthur – STORM SEWER Project”.

This email is send from various spoofed email addresses and has the following body:

Please see attachment for contract.  Please sign and return.

Thanks

Fred Stepp – Office Manager
McInnis Construction, Inc.,
675 South 4th Street
Silsbee, Texas 77656
email: fred@mcinnisprojects.com
Phone: 409-385-5767
Fax: 409-385-2483

The attached file WOM8zLph4X8W.zip contains the 35 kB large file contract_erwer2rdfvcsdva_erwr.exe.

The trojan is known as Kryptik.CLASS.

At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 16a536e70fab4993d961f1a6a780b497c09d8ca6cc28f465bd0416d623f70a86

Malicious Word attached to fake email Copy of your 123-reg invoice ( 123-015309323 )from 123-reg.co.uk


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Copy of your 123-reg invoice ( 123-015309323 )” – number in the subject may change.

This email is send from the spoofed address “no-reply@123-reg.co.uk” and has the following body:

Hi,

Thank you for your order.

Please find attached to this email a receipt for this payment.

Help and support

If you are still stuck why not contact our support team? Simply visit our 123-reg Support Centre and click on the Ask a Question tab.

Thank you for choosing 123-reg.

The 123-reg team.
https://www.123-reg.co.uk

About us | Privacy policy
© Copyright 123-reg – Part of Webfusion Ltd

Webfusion Ltd is a company registered in England and Wales with company number 05306504. Our VAT number is 927 1292 22. The address of our registered office is: 5 Roundwood Avenue, Stockley Park, Uxbridge, Middlesex, UB11 1FF.

Screenshot of the fake message:

The attached file 123-reg-invoice.doc which is 53kB large, is a malcious Word file tha contains a macro with the instructions to download other malware on the system.

The malicious Word file is detected as MO97:Downloader-WY [Trj], Macro.Trojan-Downloader.Agent.EB@gen, W97M/Downloader or Trojan-Downloader.VBA.Agent.nr (v)

At the time of writing, 5 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 4baef401edc96a5e777724dbfded6ad5536f5badc88ec8f9c42c8dc35d201ba8

MX Lab recommends not to open this Word file or at least disable macros.

Follow

Get every new post delivered to your Inbox.

Join 1,548 other followers