Email based threat leads to malicious Word file


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with different content.

Sample 1:

From:  “rm@restaurantcocotte.com” <rm@restaurantcocotte.com>
Subject: ******.be due invoice
Content:

I tried to fax you the invoice we discussed about over the phone.

It did not go through, so we uploaded it to our invoice portal :

Due Invoice

Please let me know when you have sent the payment.

Thank you

Sample 1:

From: “rm@restaurantcocotte.com” <rm@restaurantcocotte.com>
Subject: RE: shipping done
Content:

We shipped your crap.
Here s the tracking invoice :
hxxps://www.ups.com/?tracking_invoice=2193 71293129312&action=download

Let us know when it arrives.
Thanks

The embedded URLS all lead to hxxp://invoice-portal.com/invoices/get.php?id=YW50b25pby5ndXRpZXJyZXpAdmNzdC5jb20ubXg= (note that the id string will vary with each email).

When visiting this URL, the file inv11172016.doc will be downloaded which is a malicious Word file. When opening the document you will have the message that the document is protected and have some instruction on how to open the document. See the screenshot below.

The malicious Word file is detected by 6/54 AV engines at Virus Total. Further analysis is available on Malwr and Hybrid Analysis.

The Word file has an embedded URL and will download the payload from hxxp://www.ict-investment.me/wp-content/themes/limuso/inst.exe.

The malware is detected by 8/56 AV engines at Virus Total

Update 17,11,2016 – 19:00 (Belgian local time):

From: Tom Ludgate <tomludgate@valleymusicuk.com>
Subject: RE:RE: usps
Content:

We shipped your crap.
Here s the tracking invoice :
https://www.ups.com/?tracking_invoice=611605&action=download

Let us know when it arrives.
Thanks

In this new sample the URL leads to hxxp://goout.gr/misc/ui/images/view.php?id=ZGVrZXVrZWxhZXJldGVjaEB0ZXh0aWVsc2VydmljZWRla2V1a2VsYWVyZS5iZQ0= that will download the file ups_333240291.doc.

The malicious Word file is detected by 6/54 AV engines at Virus Total.