MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “STMT ACWL-15DEC12-120106”.
This email is send from the spoofed address “”firstname.lastname@example.org” <email@example.com>” and has the following body:
The following are attached to this email:
The attached file XACWL-15DEC12-120106.DOC is a Word with malicious macro that will download the payload from a remote host.
The malicious Word file is known as HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN, Trojan.Script.Dinihou.coscqs, heur.macro.download.cc or Trojan-Dropper/W97M.Bouen by 6 of the 54 AV engines at Virus Total.
The macro will download from life.1pworks.com/76t7h/76gjk.exe the 238 kB large executable 76gjk.exe that is detected as BehavesLike.Win32.Downloader.dc or HEUR/QVM07.1.Malware.Gen by 2 AV engines at Virus Total.