Email invoice EME018.docx contains malicious Word file


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “invoice EME018.docx “.

This email is send from the spoofed address “Ieuan James <emerysieuan@gmail.com>” and has an empty body.

The email in question was shown as it was mal formatted or corrupted but it’s possible that some email clients will show it correctly:

–Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit

–Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: application/msword;
name=”invoice EME018.doc”;
x-apple-part-url=D103C3C9-1CC9-4BE2-89E7-EB608B41F92A
Content-Disposition: attachment;
filename=”invoice EME018.doc”
Content-Transfer-Encoding: base64

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQA

——— code continues ——————–

The attached file invoice EME018.doc is a Word file with a macro that will download the malware.

At the time of writing, 1 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 66a2de2890ebaf7ca4521f97a44c5f30371aea72dc1023b051fea4ef3da94ece

 

UPDATE: 08/01/2015 11:20

The Word macro will download the file bin.exe from the following locations:

hxxp://ecovoyage.hi2.ro/js/bin.exe
hxxp://mateusz321.cba.pl/js/bin.exe

The trojan is known as Gen:Variant.Kazy.531412, Downloader-FANV!8B52FF380807 or Dridex.K.

Use the Virus Total or Malwr for more detailed information.
SHA256: 12f6d880b94e16fbc1fca0ba1c97b47373e81e03cffc8d08954db13dea1c0678

2 thoughts on “Email invoice EME018.docx contains malicious Word file

  1. Had same e-mail this morning – a lot of unintelligible gibberish in the main body of th e-mail, but no attachment.
    Having made several purchases yesterday I wondered if the message related to one of them, so I sent a reply asking him to re-submit, but the message came back “not Known”.

    As I understand it, the only problem arises if you click on an attachment which is not the case here, but can you please confirm.

    Thanks,

    • You’ve also had the ‘corrupted’ view so in that case, the Word file is not readable unless you take specific actions.

      However, avoid replying to such messages. In some cases you will contribute to “spam scatter” or give a confirmation that your email is indeed a valid one and your mailbox could become a target for more spam or malware.

      But regarding the email and the Word file, you’re safe.

Comments are closed.