Multiple malware campaigns using malicious Word macro files to infect systems


MX Lab, http://www.mxlab.eu, started to intercept multiple malware distribution campaigns were a Word file with a malicious macro is used to download trojans and infect a system. Here is an overview:

HP Digital Sending device

This email is send from the spoofed address similar to “HP Digital Sending device <HP394036@localhost>”, has no subject and has the following body:

Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.

The attached file is named Document.doc. The malware is known as Trojan-Downloader.VBA.Agent.nr (v), Macro.Trojan-Downloader.Agent.EB@gen or W97M/Downloader.agv.

At the time of writing, 5 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 5ed8cad4b73d30dfb7ee4767d213b32d5897c3e323e1b84f6b99e49a2d5f081a

Invoice #00044105; From Deluxebase Ltd

This email is send from the spoofed address “Anna <anna@deluxebase.com>” with the subject “Invoice #00044105; From Deluxebase Ltd” and has the following body:

Hello

Thank you for your order which has been dispatched, please find an invoice for the goods attached.
Please contact us immediately if you are unable to detach or download your Invoice.
As a valued customer we look forward to your continued business.

Regards
Accounts Department
Deluxebase Ltd
UK Phone: 01482 880050
UK Fax: 01482 883225
International Phone: +44 1482 880050
International Fax: +44 1482 883225
accounts@deluxebase.com
http://www.deluxebase.com

The attached file is named ESale.doc. The malware is known as Trojan-Downloader.VBA.Agent.nr (v), Macro.Trojan-Downloader.Agent.EB@gen, W97M/Downloader.agv.

At the time of writing, 5 the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 7f57dc1d3abd0f7240a92e34a07a46cdf1b3f8c8b60b4bbbafd348cfd893237f

Financial information

This email is send from spoofed email addresses has the subject “Financial information” and has the following body similar to:

Good morning

Please find attached a remittance advice, relating to a payment made to you.

Many thanks

Regards,

Sallie Ray
Seniour Finance Assistant

The attached file is named sqkocfkqw_AC03100AA984.doc (name will vary).

At the time of writing, none of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 432c2969c7aef3561bb3d997c36dc887c36fba972c938f39994afdb2ab41a80e

Important information

This email is send from spoofed address, has the subject “Important information” and has the following body similar to:

Good Afternoon,

Please see attached the copy of the remittance.

Please can you send a revised statement so we can settle any outstanding balances.

Kind Regards,

Rosa Chapman

The attached file is named 9f652096_414CE6CB87E2.doc (name will vary).

At the time of writing, none of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 32236980886eb0e924fac16abf1be0a0c2bec2bb33215e9d231c81abe7509d21

MX Lab recommends not to open any of the above attached Word files or at least disable macros by default.