New Word macro malware: Order Confirmation-0355-9389556-20160815-516290 from

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “Order Confirmation-0355-9389556-20160815-516290”. The email has the appearance to be send by the company ESAB, a welding and cutting equipment supplier, but this is all fake.

This email is send from the spoofed address “” and has the following body – no text, only a generic disclaimer:

This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof.

The attached file Order Confirmation-0355-9389556-20160815-516290.docm is a Word file with malicious macro.

Note that the file name of the .docm and the subject line of the email will vary with each email.

The malware is detected by 7/55 AV engines at Virus Total. Malwr analysis shows that a binary is downloaded from hxxp:// and hxxp://

2 thoughts on “New Word macro malware: Order Confirmation-0355-9389556-20160815-516290 from

  1. In the copy I received, the headers show that it originated from IP address 177-87-151-171, which belongs to (SAMPAIO & SAMPAIO PROVEDORES DE INTERNET LTDA).
    I will notify them; perhaps they can find the perpetrator and …
    Shut ‘m’ down!

Comments are closed.