MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Purchase Order 124658”.
This email is send from the spoofed address “Gina Harrowell <firstname.lastname@example.org>” and has the following body:
Sent 2 DEC 15 09:18
Knaves Beech Way
Telephone 01628 850100
Fax 01628 850331
From: CliniMed Limited
Company Registration No: 01646927
Registered Office: Cavell House, Knaves Beech Way,
Loudwater, High Wycombe, Bucks, HP10 9QY
The contents of this e-mail are confidential to the sender and the addressee. If you are not the addressee, or responsible for delivering to the addressee, please notify us immediately by telephoning our IT Support on 01628 850100 (UK) or +44 1628 850100 (international) and delete the message from your computer without copying or forwarding it or disclosing its contents to any other party. CliniMed Limited cannot accept any responsibility for changes made to this message after it was sent and you should not rely on information given in the message without obtaining written confirmation. It is the responsibility of the addressee to scan incoming mail for viruses and CliniMed Limited accepts no liability or responsibility for viruses. Opinions expressed in this e-mail are those of the sender and may not reflect the opinions and views of CliniMed Limited.
The attached file P-ORD-C-10156-124658 is 94 kB large and is an Excel with malicious macro.
The Excel is detected as LooksLike.Macro.Malware.gen!x3 (v), Trojan.Script.MLW.dyxcgi, heur.macro.download.cc or HEUR.VBA.Trojan.
At the time of writing, 5 the 55 AV engines did detect the Excel malware at Virus Total.
The malcious macro in the Excel file will download additional 328 kB large malware executable from the following hosts:
The trojan is known as Troj.Downloader.W32.Obfuscated, BehavesLike.Win32.Dropper.fh or HEUR/QVM10.1.Malware.Gen.
At the time of writing, 3of the 54 AV engines did detect the trojan at Virus Total.