New Word malware: Invoice (w/e 070216)


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice (w/e 070216)”.

This email is send from the spoofed address “Kelly Pegg [kpegg@responserecruitment.co.uk]”  while the message doesn’t originate from Response Recruitment but is a forgery with a malicious attachment. Response Recruitment is aware of this and also placed a disclaimer on their web site.

The email itself has the following body:

Good Afternoon

Please find attached invoice and timesheet.

Kind Regards

Kelly

The attached file SKM_C3350160212101601.docm is a Word file with malicious macro.

The malware is detected as Macro.Trojan-Downloader.Agent.MM, Trojan:W97M/MaliciousMacro.GEN, WM/Agent!tr or W97M/Downloader!7D0374C82670 by 5 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 772eebff7b5452987d11613e8a9a3742dd8c5cb14927b8d79b7e192d3973ee71

Malware will be downloaded from:

hxxp://sstv.go.ro/09u8h76f/65fg67n

The malware is detected as UDS:DangerousObject.Multi.Generic, PE:Malware.RDM.18!5.18 [F]  or Mal/Generic-S by 3 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 230a53b665cf61ff2b8d55f24363d3850f8b498eaf3437557c6157879bb25134