New Word malware: Invoice 9210


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice 9210”.

This email is send from the spoofed address “Dawn Salter <dawn@mrswebsolutions.com>” and has the following body:

Good afternoon

I hope all is good with you.

Please see attached invoice 9210.

Kind regards
Dawn
Dawn Salter
Office Manager
Tel: +44 (0)1252 616000 / +44 (0)1252 622722
DDI: +44 (0)1252 916494
Web:  www.mrswebsolutions.com

1 Blue Prior Business Park, Church Crookham, Fleet, Hants, GU52 0RJ

The attached file 9210.DOC is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d or WM/TrojanDownloader.4D52!tr by 2 of the 53 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: d7cefbfcfc5af2529683b156f7afe5c88cac653009f9b30fd7663f9a27dabcc3

Malware will be downloaded by the malicious macro from the following locations:

hxxp://www.cityofdavidchurch.org/54t4f4f/7u65j5hg.exe
hxxp://www.hartrijders.com/54t4f4f/7u65j5hg.exe
hxxp://grudeal.com/54t4f4f/7u65j5hg.exe

The malware is detected as BehavesLike.Win32.PWSZbot.dc by 1 of the 53 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: aaf789d10a3e643d1f808e2a5de084461b1f0625e88d4e800e75043b1b8d9f0d