New Word malware: Invoice #47865


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice #47865” (numbers will change with each email).

This email is send from the spoofed addresses and has the following bodies (only a few samples published below):

Hello,

Please find attached invoice #85666705 for your attention.

Regards,
Amelia Becker
Product Administrator
NOVA RESOURCES LTD

Hello,

Please find attached invoice #47865 for your attention.

Regards,
Bettye Swanson
Product Administrator
JARDINE LLOYD THOMPSON GROUP

Hello,

Please find attached invoice #16282 for your attention.

Regards,
Alexis Dorsey
Product Administrator
Firstsource

Hello,

Please find attached invoice #07485590 for your attention.

Regards,
Olive Vega
Product Administrator
ASOS

Hello,

Please find attached invoice #182 for your attention.

Regards,
Nannie Mullins
Product Administrator
ACTUAL EXPERIENCE PLC

Hello,

Please find attached invoice #790009 for your attention.

Regards,
Darius Stephenson
Product Administrator
SVG CAPITA

The attached file INVOICE-UK-UK0704-7382-JARDINE LLOYD THOMPSON GROUP.doc is a Word file with malicious macro. Please note that the filenmae will change in accordance with the company name that is being used in the email body.

The malware is detected as W97M/DLoader.A, Trojan-Downloader:W97M/Dridex.S, Trojan.Script.Agent.dowdin or CXmail/OleDl-A by 5 of the 54 AV engines at Virus Total.

The malicious file sanders.exe will be downloaded from the following host:

hxxp://apex.godreal.org/motoko/kusanagi.php

Use the Virus Total or Malwr for more detailed information.
SHA256: 78d1d34b14667a4aba12dccbd572f4b78cc1e59ad71517a683a4c5102496ebfa

The malware is detected as UDS:DangerousObject.Multi.Generic or HEUR/QVM07.1.Malware.Gen by 2 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: f011157459b16a7847680243100dcb7e1749da72350629904826a10079c5ae11