Email “CIT Inv# 15000375 for PO# SP14161” contains malicious Word file


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “CIT Inv# 15000375 for PO# SP14161”.

This email is send from the spoofed address “_CIG-EDI@CIRCOR.COM” and has the following body:

Please do not respond to this email address.  For questions/inquires, please
contact our Accounts Receivable Department.

______________________________________________________________________
This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

The attached file FOPRT01.DOC is a Word file with embedded macro that will download a trojan on your computer. The Word file is being recognized by 2 of the 57 AV engines at Virus Total and being named as W97M.Dropper.BN or VBA/TrojanDownloader.Agent.HG.

Use the Virus Total for more detailed information regarding the malicious Word file.
SHA256: 476eaa256c7a17e93e18312bc00049f9a838097bbdab8b8a56d581e3948dca23

MX Lab recommends not to open the attached Word file or at least disable macro execution.

 

One thought on “Email “CIT Inv# 15000375 for PO# SP14161” contains malicious Word file

Comments are closed.