New Word malware: Order 311286 Acknowledged from sales@touchstonelighting.co.uk


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Order 311286 Acknowledged”.

This campaign is a variant to the campaign New Word malware: STMT ACWL-15DEC12-120106 from mamsoft.co.uk because analysis of the file by Malwr is referring to the file XACWL-15DEC12-120106.DOC that is also used. The difference lies with the email and the renaming of the Word document.

This email is send from the spoofed address “sales@touchstonelighting.co.uk” and has tan empty body.

The attached file Order Acknowledgement.doc is a Word with malicious macro that will download the payload from a remote host.

The malicious Word file is known as HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN, Trojan.Script.Dinihou.coscqs, heur.macro.download.cc or Trojan-Dropper/W97M.Bouen, WM/Agent!tr by 6 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: cf17078aa0d42f48defd04cacdd54088b20a571be454e68495583142dc137a11

The macro will download from gunugun.com/76t7h/76gjk.exe the 238 kB large executable 76gjk.exe that is detected as BehavesLike.Win32.Downloader.dc or HEUR/QVM07.1.Malware.Gen by 2 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 5314fde2ed059597ceefd24e94ff13d97c33375f20b0aea4f6a8d855aa048dc8