Email NUCSOFT-Payroll December 2014 contains malicious Word file

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “NUCSOFT-Payroll December 2014”.

This email is send from the spoofed address “Eliza Fernandes <>” and has the following body:

Please find the data for payroll processing.

Please forward the PDF of summary.

Eliza Fernandes

Finance Dept.
This message contains privileged and confidential information and is intended only for an individual named. If you are not the intended recipient, you should not disseminate, distribute, store, print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,
NUCSOFT : With You – Until Success and Beyond….
Visit us at

The attached file Payroll Dec’14.doc is a Word file with a macro that will download an executable from hxxp://

The trojan is known as Trojan.DridexKD.2066383, W32/Dridex.I, W32/Dridex.CLAQ-7786, Backdoor:Win32/Drixed.C or TROJ_DRIDEX.XBZ.

At the time of writing, 20 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink  for more detailed information.
SHA256: 4d3bb0cfba9f6090e2704fe003e373002f906df0d59c68e73ff0d8a20cd36884