MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Order 311286 Acknowledged”.
This campaign is a variant to the campaign New Word malware: STMT ACWL-15DEC12-120106 from mamsoft.co.uk because analysis of the file by Malwr is referring to the file XACWL-15DEC12-120106.DOC that is also used. The difference lies with the email and the renaming of the Word document.
This email is send from the spoofed address “firstname.lastname@example.org” and has tan empty body.
The attached file Order Acknowledgement.doc is a Word with malicious macro that will download the payload from a remote host.
The malicious Word file is known as HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN, Trojan.Script.Dinihou.coscqs, heur.macro.download.cc or Trojan-Dropper/W97M.Bouen, WM/Agent!tr by 6 of the 54 AV engines at Virus Total.
The macro will download from gunugun.com/76t7h/76gjk.exe the 238 kB large executable 76gjk.exe that is detected as BehavesLike.Win32.Downloader.dc or HEUR/QVM07.1.Malware.Gen by 2 AV engines at Virus Total.