Emails with attached malicious Word or Excel files which contain a macro to download a real trojan have never been so popular these days. MX Lab, http://www.mxlab.eu, started to intercept a new security risk distribution campaign by email with the subject “Signature Invoice 44281”.
This email is send from the spoofed address “Rhianna Wellings <Rhianna@teckentrupdepot.co.uk>” and has the following body:
Your report is attached in DOC format.
To load the report, you will need the Microsoft® Word® reader, available to download at http://www.microsoft.com/
The attached file Signature Invoice.doc, which is 38 kB large, is a Word file with an embedded macro that will download the real trojan.
At the time of writing, the malicious Word file is not being marked as dangerous by any AV engine at Virus Total.
Use the Virus Total permalink or Malwr permalink for more detailed information.
The Word macro will download the file 69 kB large Windows executable bin.exe from the following locations:
The trojan is known as Dridex.K, Artemis!5971384FA151, PE:Malware.XPACK-LNR/Heur!1.5594 or UDS:DangerousObject.Multi.Generic.
A file will be created at %TEMP%\1V2MUY2XWYSFXQ.exe and outbound traffic is generated on port 8080 towards the following IPs:
At the time of writing, 6 of the 56 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink for more detailed information.
MX Lab recommends not to open this Word sheet or keep at least the execution of a macro disabled in the security settings to avoid macros running when opening an Word (or Excel) file.