MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “ICM – Invoice #2393” which is to be believed a continuation of the previous campaign “Invoice from DATANET the Private Cloud Solutions Company” since the executable that will be downloaded by the Word macro is the same.
This email is send from the spoofed address “Industrial Cleaning Materials (ICM) <email@example.com>” and has the following body:
Please find invoice 2393 attached.
Industrial Cleaning Materials
Unit 19 Highlode Ind Est
Stocking Fen Road
Tel: 01487 800011
fax 01487 812075
The attached file order_2393.doc is a Word file with embedded malicious macro.
2 of the 54 AV engines did detect the Word file as malware at Virus Total with the name: heur.macro.download.cc or Trojan-Downloader/W97M.Iron. SHA256: 00ab8a1a2bfa99a92e0cacaaf1e7ca1af6c8cc0eab6f070f157ec9c2d7f03a51
The macro will download the execuatble h54f3.exe from the following locations found below.
The trojan is known as HEUR/QVM10.1.Malware.Gen by 1 of the 52 AV engines at Virus Total.
Use the Virus Total for more detailed information.