New Word malware: Betreff: E2DF65AC – fake invoice from Büromarkt Böttcher AG


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Betreff: E2DF65AC” (combination will vary with each email).

This email is send from different spoofed email addresses and has the following body:

Ihre Rechnung von der Büromarkt Böttcher AG

Sehr geehrte Damen und Herren,

vielen Dank für Ihren Auftrag. Dieser wird umgehend durch unser
Logistikzentrum versendet.

Beiliegend erhalten Sie Ihre Rechnung.

Ihre Kundennummer: D81288800
Ihre Rechnungsnummer: 098ABF5E

Mit freundlichen Grüßen
Ihr Team der Büromarkt Böttcher AG

Büromarkt Böttcher AG

Anschrift:
Brüsseler Straße 3
07747 Jena
Vorstand:
Helge Bauer

*14 Cent inkl. MwSt./Min aus dem deutschen Festnetz Mobilfunkhöchstpreis 42
Cent inkl. MwSt./Min

The attached file invoice71703875.doc (number in the filename will vary with each email) is a 25 kB large Word file with malicious macro.

The malware is detected as Trojan.MacroDown.Gen.TN by 1 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: adcec267f659a412730c1296a200c2603ebeec68633aa792eb9af175fe56342b

The embedded macro will make connection with the following URL: hxxp://179.60.144.18/captain/black.php

The  119 kB large executable _123.exe will be downloaded and this malware is detected as HW32.Packed.3A08, BehavesLike.Win32.Fednu.cc, PE:Malware.Generic(Thunder)!1.A1C4 [F] or Trojan.Win32.Generic.pak!cobra by 7 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 36d87d3b0568effe100a4b5716eedde2840802dac6d4bd187986f45b342bf5f3

One thought on “New Word malware: Betreff: E2DF65AC – fake invoice from Büromarkt Böttcher AG

Comments are closed.