New Word malware: STMT ACWL-15DEC12-120106 from mamsoft.co.uk


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “STMT ACWL-15DEC12-120106”.

This email is send from the spoofed address “”accounts@mamsoft.co.uk” <statements@mamsoft.co.uk>” and has the following body:

The following are attached to this email:
XACWL-15DEC12-120106.DOC

The attached file XACWL-15DEC12-120106.DOC is a Word with malicious macro that will download the payload from a remote host.

The malicious Word file is known as HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN, Trojan.Script.Dinihou.coscqs, heur.macro.download.cc or Trojan-Dropper/W97M.Bouen by 6 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: d24ce045246fd4ac7e959dbf82a4a16ae445b014b0d70319c2506a53183a3a7d

The macro will download from life.1pworks.com/76t7h/76gjk.exe the 238 kB large executable 76gjk.exe that is detected as BehavesLike.Win32.Downloader.dc or HEUR/QVM07.1.Malware.Gen by 2 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 5314fde2ed059597ceefd24e94ff13d97c33375f20b0aea4f6a8d855aa048dc8

One thought on “New Word malware: STMT ACWL-15DEC12-120106 from mamsoft.co.uk

Comments are closed.