New Word malware in fake email “Lieferschein” from Textilreinigung Klaiber


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Lieferschein”.

This email is send from the spoofed address “Textilreinigung Klaiber <lieferschein@textilreinigung-klaiber.de> and has the following body:

Sehr geehrte Damen und Herren,

in der Anlage erhalten Sie wie gewünscht den aktuellen Lieferschein.

Bei Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen

Textilreinigung Klaiber
Gewerbestrasse 39
78054 VS – Schwenningen
Telefon 07720 / 33238
Telefax 07720 / 33641
service@textilreinigung-klaiber.de

The attached file 11815–113686.doc is a Word file with malicious macro.

The malware is detected as Macro.Trojan-Downloader.Agent.KF by 1 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: a6ba0b22cdd4b44501bd74fcc15aad4683d0fe7ce3175bb37ce5260a2a665179

The macro will download the payload from the following location:

198.12.153.134/~webfrecuencia/786h8yh/87t5fv.exe

The executable 87t5fv.exe is detected as HW32.Packed.9634, QVM07.1.Malware.Gen or PE:Malware.RDM.13!5.13 [F] by 3 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: ea38ea05084135bf6852bd2473c045a5944e4758e023d1d7d47a380ab8d7d9ed

3 thoughts on “New Word malware in fake email “Lieferschein” from Textilreinigung Klaiber

Comments are closed.