Installation
This threat is a malicious macro script for Microsoft Office files. The macro can download and run other malware on your PC.
It can be installed when you open an attachment to a spam email that claims to be about a purchase, invoice or product order. For example, we have seen this threat attached to spam emails with the following subjects:
-
Payment Details – <random letter and five numbers>, for example Payment Details – P97291
-
Order – <random letter and five numbers>, for example Order – Y24383
-
Invoice – <random letter and five numbers>, for example Invoice – P97291
The attachment is usually a Word document (.doc file). We have seen it use the following names:
-
BILLING DETAILS_<four numbers>.doc, for example BILLING DETAILS_9879.doc
-
ORDER INFO_<four numbers>.doc, for example ORDER INFO_7702
Payload
Downloads other malware
The infected .doc files contain a malicious macro script that, when opened, can download and run other malware onto your PC.
The malware uses social engineering tactics to try to get you to enable macro scripting when you view the document, as macro scripts are usually disabled by default in Microsoft Office.
We have seen the malware uses the following fake warnings in an attempt to get you to enable macros:
If macros are enabled the trojan tries to connect to the following URL:
-
isolectra.com.sg/<removed>/<removed>.exe
-
lynxtech.com.hk/<removed>/<removed>.exe
We have seen it download TrojanDownloader:Win32/Drixed.B to %APPDATA%\Local\Temp\444.exe.
Analysis by Patrick Estavillo
