Fake email from VOIP Inc installs trojan downloader using Word macro script

MX Lab, http://www.mxlab.eu, started to intercept a campaign by email with the subject “Your Order No 355253536 | Mob Inc.” which includes a malicious Word document that allows the installation of a trojan downloader using the macro functionality from Word.

This email is send from the spoofed addresses and has the following body:

Thank you for ordering from VOIP Inc.

This message is to inform you that your order has been received and is currently being processed.

Your order reference is 488910845598.
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card. Your card will be charged for the amount
of 805.74 USD and “VOIP Inc.”
will appear next to the charge on your statement.
Your purchase information appears below in the file.

The attached ZIP file has the name Order.zip and contains the 41 kB large file Order.Doc.

The Order.Dos is a genuine Word document but the file contains a malicious macro features. Once opening the Word document, instructions are given on how to enable the content and activate the malicious macro script.

View the contents of the document


For Microsoft Office 2013
To view the contents of the document, click on “Enable Content” on

For Microsoft Office 2010
To view the contents of the document, click on “Enable Content” on

For Microsoft Office 2007

1.Um display the contents of the document, click the Options
2 Then select “Display the content” and click “OK”

For Microsoft Office 2003
1 In the menu “Tools” click on “Macro” and then click “Security”.
2 Select “Low” and click “OK”.

Watch out! The set showed the document was created in a newer version of Microsoft Office ™.
For the display of the contents of this document you should activate the macro.

The downloader is known as W97M/Downloader, MO97:Downloader-DU, VBA/TrojanDownloader.Agent.AL, Trojan-Downloader:W32/Agent.DVCR, Trojan-Downloader.VBA.Agent or Trojan.Mdropper.

At the time of writing, 8 of the 53 AV engines did detect the trojan downloader at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: af8694825d3d7eb470255b9dd858e6544ac54df9295bb373bc8205e8fe27722c