Analysis byFarrel Moje

We recently came across samples of a spam campaign, this time using the disguise of a credentialing invoice advertising medical services - specifically, those pertaining to anesthesia. The body of the message is short and directs the reader to its attachment - a Microsoft Word document that may look harmless at first glance but is actually malicious. 

When opened, a macro embedded in the document surreptitiously triggers a download of the Dridex malware, enabling it to first steal credentials and then attempt to generate fraudulent financial transactions.

The spam mail is already blocked and the attachment is detected as W2KM_DRIDEX.

Once again, we advise users to never open suspicious mails, especially when they come with attachments such as these.

 SPAM BLOCKING DATE / TIME: 15 de декабря de 2015 GMT-8
 TMASE
  • TMASE Engine: :
  • Patrón TMASE: :AS2004