New Word malware: Order 0046/033777 [Ref. MARKETHILL CHURCH]


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Order 0046/033777 [Ref. MARKETHILL CHURCH]”.

This email is send from the spoofed address “ JOHN RUSSELL <John.Russell@yesss.co.uk>” and has the following body:

John Russell
Branch Manager

Yesss Electrical
44 Hilsborough Old Road
Lisburn
BT27 5EW

T: 02892 606 758
M: 07854362314
F: 02892 606 759
E: John.Russell@yesss.co.uk

EW Award winner 2015
Electrical Times Award winner 2014
EW Award winner 2014
YESSS gains all three BSI industry standards
Order a YESSS Book NOW!
Our YESSS motto
Visit the YESSS website      Visit the YESSS Facebook
page       Visit the YESSS Twitter page
Visit the YESSS Youtube page
Visit the YESSS Linkedin page
Visit the YESSS Pinterest page

The attached file 033777 [Ref. MARKETHILL CHURCH].doc is a Word file with malicious macro.

The malware is detected as LooksLike.Macro.Malware.gen!d1 (v), HEUR(high).VBA.Trojan or W97M/Downloader.auj by 6 of the 55 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: a6d258bec6ed045e79b9592aa2638452870e7f73ebacaf8adfca739aa413bac6

The Word macro will download the payload from the following locations:

amyzingbooks.com/l9k7hg4/b4387kfd.exe
webdesignoshawa.ca/l9k7hg4/b4387kfd.exe
powerstarthosting.com/l9k7hg4/b4387kfd.exe

The malware is detected as PE:Malware.Generic(Thunder)!1.A1C4 [F] or TSPY_DRIDEX.YYSQJ by 4 of the 55 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 37ccb1fc8c465f9ff028c172c2a424af61fd72322c91f9fe4c410225dec2c10d