Fake email with enclosed payment confirmation contains malicious Word file


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the emails like:

This example email is send from the spoofed address “”Reagan Nelson <rmarinas@artesgraficasg3.es>” with subject “M  Transfer” and has the following body:

Please review the payment confirmation enclosed with this email. The Transfer should appear on your bank in 1-2 days.

Reagan Nelson
Assistant Finance Manager
Synopsys, Inc.

This example email is send from the spoofed address “Anastasia Hampton <whouston@kazooga.com>” with subject “H  Transaction” and has the following body:

Please find the payment details enclosed with this message. The Transaction will be posted on your bank within 48 hours.

Anastasia Hampton
Tax Manager CPA Accountant
Intuitive Surgical, Inc.

This example email is send from the spoofed address “Avye Myers <it.scsggn@dtdc.com>” with subject “DW  Transaction” and has the following body:

Please find the payment details enclosed with this email. The Payment will be posted on your account in one day.

Avye Myers
Fund Administrator
Genesco Inc.

Other used subjects are:

C Invoice
G Transaction
M Invoice
Q Transfer
QYL Payment
T Invoice
TE Transaction
WJ Invoice
ZZJ Transaction

The attached file is a 220 kB large Word file with malicious macro. The name of the file is different with each email.

The malware is known as LooksLike.Macro.Malware.h (v), HEUR.VBA.Trojan, W97M/Dropper.ae or Trojan.Script.Agent.dytmvr.

At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 51a4d1df3c45da19d9ce9599d222ae6806850beee842f81b9363d8dffa82c01f

Update 26.1.2015 – 15:00

Malware will be downloaded from the following host: harbourviewnl.ca/jo.jpg?6625

This URL will download the file YSpq2bkGVIi5yaPcv6667.ex that is known by 1 AV engine at Virus Total as QVM19.1.Malware.Gen.
SHA256: d45c0463489cf01d03009f4ffc33b817b707a6a982de1cd2b64bd414e84fe2ef