New Word malware: Message from local network scanner


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Message from local network scanner”.

This email is send from the spoofed addresses and has no body text.

The attached file Scann16011310150.doc (filename may vary) is a Word file with malicious macro.

The malware is detected as HEUR(high).VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN or heur.macro.download.cc by 4 of the 54AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: e87c827ea1bda3b3954ae9725b1f8343c18d563914311c477bfc2c279851d3b6

The Word macro will download the payload from the following locations:

www.willsweb.talktalk.net/786h5g4/9787g4fr4.exe

The malware is detected as Win32:Evo-gen [Susp], QVM20.1.Malware.Gen or PE:Malware.XPACK/RDM!5.1 [F] by 3 of the 55 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 944fe9e3e332c9399ce3954e4f00864552bf8b43f83f06dfa8b670529eaa0bc6