Fake invoice in Word format from Free Mobile contains malicious macro


MX Lab, http://www.mxlab.eu, started to intercept a large malware distribution campaign by email with the subject “Facture mobile du 30-04-2015”.

This email is send from the spoofed address “Free Mobile <freemobile@free-mobile.be>” and has the following body:

Cher(e) abonné(e),

Veuillez trouver en pièce jointe votre facture mobile
du 30-04-2015, d’un montant de 100.05€ pour la ligne.

Sincères salutations.

L’équipe Free


Free Mobile – SAS au capital de 365.138.779 Euros

The attached file Freemobile_0679877017_30-04-2015.doc (file name may vary) is a Word file that contains a macro that will download other malware.

The Word file is being named as W97M.DownLoader.345, Trojan-Downloader.VBA.Agent (A), Macro.Trojan-Downloader.Agent.EB@gen, Trojan-Downloader.MSWord.Agent.jn, Troj/DocDl-MM or W2KM_DLOADR.CA.

At the time of writing, 11 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 20de1316fe309450b65f0a863b39271726988f7e40cd0e7bcac3e304ddb28d13

One thought on “Fake invoice in Word format from Free Mobile contains malicious macro

Comments are closed.