New Word malware with the subject “Aline Payment Request”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Aline Payment Request”.

This email is send from the spoofed address “Bruce Sharpe <bruce@alinepumps.com>” and has the following body:

ATTENTION: ACCOUNTS PAYABLE

Dear Sir/Madam,

Overdue Alert

Our records show that your current balance with us is �2795.50 of which �2795.50 is still overdue.

Your urgent attention and earliest remittance of this amount would be appreciated.

We value your business and we would like to resolves any issues as quickly as possible. I am personally available on (02) 8508 4900 or bruce@alinepumps.com

Sincerely,

Bruce Sharpe – Accounts Receivable

PO Box 694 Engadine NSW 2233 P. 02 9544 9999 F. 02 9544 8599 E. bruce@alinepumps.com

The attached file Statement_1973_1357257122414.doc is a 90 kB large Word file with malicious macro that will download additional malware.

The Word malware is detected as Trojan.Script.MLW.dyxcgi, HEUR.VBA.Trojan, heur.macro.download.cc or Trojan-Downloader/W97M.Iron.

At the time of writing, 4 the 54 AV engines did detect the trojan at Virus Total.
SHA256: d9db7d32949c4df6a5d9d0292b576ae19681be7b6e0684df57338390e87fc6d6