Malware: Payment request of 2537.78 (14 JAN 2015)


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Payment request of 2537.78 (14 JAN 2015)”.

This email is send from the spoofed addresses  and has the following body:

Dear Sirs,

Sub: Remitance of GBP 2537.78

This is with reference to the above, we request you to kindly remit GBP 2537.78 in favor of our bank account.
For more information on our bank details please refer to the attached document.

Thanking you,
Phil Gilmore
Accounting Team

The attached file 11492UR.doc, name may vary, contains a macro that will download additional files from the following locations:

hxxp://95.163.121.71:8080/mopsi/popsi.php
hxxp://95.163.121.72:8080/mopsi/popsi.php
hxxp://136.243.237.204:8080/mopsi/popsi.php

The file downloaded is 114 kB large and is named g08.exe.

At the time of writing, 6 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: f4c36c6e702324f0edb9fd62d2d50bb08c6507ff53847f2816870414dff53eaf