New Word macro malware: Documents from Purple Office – IN00011880


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Documents from Purple Office – IN00011880”. The email has the appearance to be send by the company Purple Office, an office equipment supplier, but this is all fake.

This campaign has the same characteristics as the campaign Order Confirmation-0355-9389556-20160815-516290 from esab.co.uk.

This email is send from the spoofed address “Jen <Jen@purple-office.com>” and has the following body:

Please find attached invoice/credit from Purple Office.

Best regards,

Purple Office

The attached file 75F9CA019B607968791B3213C10BF6D6.docm is a Word file with malicious macro.

The malware is detected by 8/55 AV engines at Virus Total. Malwr analysis shows that a connection is made to the host hxxp://topfireart.com/HJ6bhGHV – the same binary file. Currently, this file seems to be removed and a default 404 error page of a hosting provider is shown.