MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the emails like:
This example email is send from the spoofed address “”Reagan Nelson <firstname.lastname@example.org>” with subject “M Transfer” and has the following body:
Please review the payment confirmation enclosed with this email. The Transfer should appear on your bank in 1-2 days.
Assistant Finance Manager
This example email is send from the spoofed address “Anastasia Hampton <email@example.com>” with subject “H Transaction” and has the following body:
Please find the payment details enclosed with this message. The Transaction will be posted on your bank within 48 hours.
Tax Manager CPA Accountant
Intuitive Surgical, Inc.
This example email is send from the spoofed address “Avye Myers <firstname.lastname@example.org>” with subject “DW Transaction” and has the following body:
Please find the payment details enclosed with this email. The Payment will be posted on your account in one day.
Other used subjects are:
The attached file is a 220 kB large Word file with malicious macro. The name of the file is different with each email.
The malware is known as LooksLike.Macro.Malware.h (v), HEUR.VBA.Trojan, W97M/Dropper.ae or Trojan.Script.Agent.dytmvr.
At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total.
Use the Virus Total for more detailed information.
Update 26.1.2015 – 15:00
Malware will be downloaded from the following host: harbourviewnl.ca/jo.jpg?6625
This URL will download the file YSpq2bkGVIi5yaPcv6667.ex that is known by 1 AV engine at Virus Total as QVM19.1.Malware.Gen.