Email “Signature Invoice 44281” contains malicious Word file


Emails with attached malicious Word or Excel files which contain a macro to download a real trojan have never been so popular these days. MX Lab, http://www.mxlab.eu, started to intercept a new security risk distribution campaign by email with the subject “Signature Invoice 44281”.

This email is send from the spoofed address “Rhianna Wellings <Rhianna@teckentrupdepot.co.uk>” and has the following body:

Your report is attached in DOC format.

To load the report, you will need the Microsoft® Word® reader, available to download at http://www.microsoft.com/

The attached file Signature Invoice.doc, which is 38 kB large, is a Word file with an embedded macro that will download the real trojan.

At the time of writing, the malicious Word file is not being marked as dangerous by any AV engine at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: 5dc552dabde0e6bd70ed1765d1a8c7cd394a6fc2c32519f529ae619f73739fd6

The Word macro will download the file 69 kB large Windows executable bin.exe from the following locations:

hxxp://Lichtblick-tiere.de/js/bin.exe
hxxp://sunfung.hk/js/bin.exe

The trojan is known as Dridex.K, Artemis!5971384FA151, PE:Malware.XPACK-LNR/Heur!1.5594 or UDS:DangerousObject.Multi.Generic.

A file will be created at %TEMP%\1V2MUY2XWYSFXQ.exe and outbound traffic is generated on port 8080 towards the following IPs:

74.208.11.204
81.169.156.5
59.148.196.153

At the time of writing, 6 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 1f56a9ae1984cc1c9435609c0c63845fe0eebaa025fd24387829d280e7dfafcc

MX Lab recommends not to open this Word sheet or keep at least the execution of a macro disabled in the security settings to avoid macros running when opening an Word (or Excel) file.

2 thoughts on “Email “Signature Invoice 44281” contains malicious Word file

  1. can this virus also effect smartphones?
    I have a lumia920 and happened to execute the invoice.doc.
    macros nontheless are disabled in office applications and internet settings are not allowing to download files from the internet.

Comments are closed.