Email “CIT Inv# 15000375 for PO# SP14161” contains malicious Word file

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “CIT Inv# 15000375 for PO# SP14161”.

This email is send from the spoofed address “_CIG-EDI@CIRCOR.COM” and has the following body:

Please do not respond to this email address.  For questions/inquires, please
contact our Accounts Receivable Department.

This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc.
For more information please visit

The attached file FOPRT01.DOC is a Word file with embedded macro that will download a trojan on your computer. The Word file is being recognized by 2 of the 57 AV engines at Virus Total and being named as W97M.Dropper.BN or VBA/TrojanDownloader.Agent.HG.

Use the Virus Total for more detailed information regarding the malicious Word file.
SHA256: 476eaa256c7a17e93e18312bc00049f9a838097bbdab8b8a56d581e3948dca23

MX Lab recommends not to open the attached Word file or at least disable macro execution.


One thought on “Email “CIT Inv# 15000375 for PO# SP14161” contains malicious Word file

Comments are closed.