Fake email “Your Air France boarding documents on 3Aug” contains malicious Word doc


MX Lab, http://www.mxlab.eu, started to intercept a distribution campaign by email with an malicious Word file attached.

This email is send from the spoofed address”Air France <cartedembarquement@airfrance.fr>”, with a reply to address “noreply@airfrance.fr”, has the subject “Your Air France boarding documents on 3Aug” and has the following body:

Airfrance SkyTeam

Attached is your Air France boarding pass.

Attached is your boarding pass in PDF format.

Important information
Your boarding pass in PDF format is only valid when printed. Please print this document and present it at the airport.
Please print your boarding pass in PDF format.

If you are not able to print your boarding pass, please print it at the airport, using a Self-Service Kiosk or at a check-in counter.

Thank you for choosing Air France. We wish you a pleasant flight. This is an automatically generated e-mail. Please do not reply.

AF KLM
Legal notice
Air France is committed to protecting your privacy. Our privacy policy specifies:
how we use the data we collect about you
the measures we employ to protect your privacy.

You will also find the procedure for limiting the use of your data.

The attached file Boarding-documents.docm is 25 kB large and is a Word document with embedded malicous macro.

The Word macro is known as LooksLike.Macro.Malware.g (v), HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN, W97M/Downloader or W2KM_BA.35831666.

At the time of writing, 9 of the 55 AV engines did detect the malicious Word file at Virus Total.

Use the Virus Total  for more detailed information.
SHA256: 1d0131590382a18819c4f3b06017696707298275a4a725beaea8b7a25afbef56

One thought on “Fake email “Your Air France boarding documents on 3Aug” contains malicious Word doc

Comments are closed.