Fake email from Free Mobile with invoice contains malicious Word file

MX Lab, http://www.mxlab.eu, started to intercept a large malware distribution campaign by email with the subject “Facture mobile du 20-05-2015” with similar characteristics as the previous campaign of the 6th May 2015.

This email is send from the spoofed address “Free Mobile <freemobile@free-mobile.be>” and has the following body:

Cher(e) abonné(e),

Veuillez trouver en pièce jointe votre facture mobile
du 20-05-2015, d’un montant de 15.99€ pour la ligne.

Vous pouvez tout moment désactiver la réception de votre facture par email dans votre espace abonné : http://mobile.free.be

Sincères salutations.

L’équipe Free

Free Mobile – SAS au capital de 365.138.779 Euros

The 67 kB large attached file Freemobile_0608490364_20-05-2015.doc (file name may vary) is a Word file that contains a macro that will download other malware.

The Word file is being named as W97M.DownLoader.345, Trojan-Downloader.VBA.Agent (A), Macro.Trojan-Downloader.Agent.EB@gen, Trojan-Downloader.MSWord.Agent.jn, Troj/DocDl-MM or W2KM_DLOADR.CA.

At the time of writing, 6 of the 67 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 8f64e01696b0b00ce4a12d1820f7d0c5d099a0c04dd5e835b29dff12fb393ff0

MX Lab recommends not to open any of the above attached Word files or at least disable macros by default.