Fake email from Tracey Smith at AquAid “Card Receipt” contains malicious Word file


MX Lab, http://www.mxlab.eu, started to intercept a new Excel malware distribution campaign by email with the subject “Card Receipt”.

The company name AquAid has been used last year during a similar malware campaign.

This email is send from the spoofed address “Tracey Smith <tracey.smith@aquaid.co.uk>” and has the following body:

Hi

Please find attached receipt of payment made to us today

Regards
Tracey

Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone: 0121 525 4533
Fax: 0121 525 3502
Mobile: 07795328895
Email: tracey.smith@aquaid.co.uk

The attached file CAR014 151238.doc is a 113 kB large Word file with embedded malicious macro script that will download a trojan from a host.

The malware file is known as LooksLike.Macro.Malware.gen!d3 (v) or W97M.Dropper.KV.

At the time of writing, 3 of the 50 AV engines did detect the malware at Virus Total.

Use the Virus Total for more detailed information.
SHA256: dec8babe98f74c83f9e3c903f2d8d76cfd23c7835b2d1c98265a4bef2e7ea334

Update 01/12/2015 – 12:15:

The macro will download the malware from the following hosts:

rotulosvillarreal.com/~clientes/6543f/9o8jhdw.exe
data.axima.cz/~krejcir/6543f/9o8jhdw.exe

The malware can make a connection to the following IP: 94.73.155.12

The trojan is known as HW32.Packed.20F9, BehavesLike.Win32.PWSZbot.cc or HEUR/QVM07.1.Malware.Gen. As with most Word/Excel malware recently, this is linked with the Dridex banking trojan.

At the time of writing, 3 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 6c0893a5477d185813e588b5bf816005d124065bfbbd4f8a6b37f1b211039c79

One thought on “Fake email from Tracey Smith at AquAid “Card Receipt” contains malicious Word file

Comments are closed.