Malicious Word file in email UK GEOLOGY PROJECT


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Invoice as requested”.

This email is send from the spoofed address “UK GEOLOGY PROJECT by Rough & Tumble with Moussa Minerals <roughandtumble63@yahoo.co.uk>”and here is no body text in the email.

The attached file 20140918_122519.doc is a malicious Word file with macro which will download the 73 kB large file bin.exe from the following locations:

hxxp://openstacksg.com/js/bin.exe
hxxp://worldinlens.net/js/bin.exe

The trojan is known as TR/Crypt.ZPACK.Gen4 or Malware.QVM20.Gen.

At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: dcb491afa41042f5ff37ff37c80ac882dbf75865bd2c50a9be12d2d7b9c44225