New Word malware with email “ICM – Invoice #2393”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “ICM – Invoice #2393” which is to be believed a continuation of the previous campaign “Invoice from DATANET the Private Cloud Solutions Company” since the executable that will be downloaded by the Word macro is the same.

This email is send from the spoofed address “Industrial Cleaning Materials (ICM) <sales@icmsupplies.co.uk>” and has the following body:

Dear Customer,

Please find invoice 2393 attached.

Kind Regards,
ICM

Industrial Cleaning Materials
Unit 19 Highlode Ind Est
Stocking Fen Road
Ramsey
Huntingdon
Cambridgeshire
PE26 2RB

Tel: 01487 800011
fax 01487 812075

The attached file order_2393.doc is a Word file with embedded malicious macro.

2 of the 54 AV engines did detect the Word file as malware at Virus Total with the name: heur.macro.download.cc or Trojan-Downloader/W97M.Iron. SHA256: 00ab8a1a2bfa99a92e0cacaaf1e7ca1af6c8cc0eab6f070f157ec9c2d7f03a51

The macro will download the execuatble h54f3.exe from the following locations found below.

http://www.ofenrohr-thermometer.de/u5y432/h54f3.exe
ante-prima.com/u5y432/h54f3.exe

The trojan is known as HEUR/QVM10.1.Malware.Gen by 1 of the 52 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 69baedcd4300842e9d2c7c2938bbfcfdb65cf384c6fd8e3b2622f2e1546c9bb7

2 thoughts on “New Word malware with email “ICM – Invoice #2393”

Comments are closed.