Tuesday, 23 December 2014

CHRISTMAS OFFERS: Jayne route2fitness.co.uk: (attached word malware)

Looks like some new word macro malware is incoming...
with no message body.... but does have an attached file:

From: "Jayne" Jayne@route2fitness.co.uk

Currently the attached filename is: CHRISTMAS OFFERS.doc

As suspected it's a word macro malware.

Sanesecurity signatures are blocking this one as:

Sanesecurity.Malware.24646.DocHeur.UNOFFICIAL FOUND

Hashes so far... and ALL VirusTotal scanners are showing clean :(


Decoded macro here: (pastebin)

Route 2 Fitness is a Sports Club and won't have anything to do with the malware,
they are just being used as a target :(

Just to show you the sort of numbers involved in these virus runs... per hour... that one site is


The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))



No comments: