MX Lab, http://www.mxlab.eu, started to intercept a new malicious Word file distribution campaign by email with the subject “Refund on order 204-2374256-3787503” (number will vary with each email).
This email is send from the spoofed address “”Amazon.co.uk” <firstname.lastname@example.org>” and has the following body:
Greetings from Amazon.co.uk.
We are writing to confirm that we are processing your refund in the amount of £4.89 for your
This amount has been credited to your payment method and will appear when your bank has processed it.
This refund is for the following item(s):
Item: Beautiful Bitch
Reason for refund: Customer return
The following is the breakdown of your refund for this item:
Item Refund: £4.89
Your refund is being credited as follows:
These amounts will be returned to your payment methods within 5 business days.
The amount credited to your Gift Card balance should be automatically applied to your next eligible
order on our website.
Have an issue with your refund, or a question about our refund policy?
Visit our Help section for more information:
Please note: The credit note for this transaction is attached to this e-mail and to open, you will
need Adobe Reader. If you do not have an Adobe Reader, please visit the following link to download
This credit note is the detailed breakdown of the refund showing the item(s), delivery costs and
associated VAT for each item. This credit note is largely applicable to business customers who
should retain it for accounting purposes. It’s not possible to redeem or use the credit
note number from this credit note towards an order. Visit our Help pages for more information on
Thank you for shopping at Amazon.co.uk.
Amazon.co.uk Customer Service
Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail.
Please do not reply to this message.
An advanced electronic signature has been attached to this electronic credit note. To add the certificate
as a trusted certificate, please follow these instructions:
1. Click on the ‘Signature Panel’ in the upper right corner
2. Expand the drop-down in the newly opened Signatures menu, expand the ‘Signature Details’ drop-down and
click ‘Certificate Details’
3. In the Certificate Viewer box click on the ‘Trust’ tab, click ‘Add To Trusted Certificates’ and then
4. In the Import Contact Settings box, ensure that ‘Use this certificate as a trusted root’ is selected,
click OK, and then click OK again
The attached 65 kB large file 204-2374256-3787503-credit-note.doc is a malicious Word file which contains a macro that will download other malware or a trojan.
The malicious Word file is known as Macro.Trojan-Downloader.Agent.EB@gen, W97M/Downloader.agm or MacroDrp.D. MX Lab recommends not to open the malicious Word file or at least deactivate any macros in Word.
At the time of writing, 4 of the 57 AV engines did detect the trojan at Virus Total.
Use the Virus Total for more detailed information. SHA256: ce15debd4312acf2f6546c1bab4287cd410ed82e021f55d051634e6a416ad11a