The email attachment contains an exe file, the malware itself, which downloads other payloads. At the moment, however, it is not known what they are.
Technical analysis by the Malware Hunter JAMESWT
Dridex is behind the wave of emails on fake invoices, which have just arrived in Italy. The message contains a link from which to download a Word file, which then downloads a DLL and infects the machine with the malware. The attachment uses the same template as the Emotet Doc
Dridex is behind the wave of emails on fake invoices, which have just arrived in Italy. The goal of cybercrime is to spread the banking Trojan thanks to a link contained in the messages. This, in fact, leads to the download of a Word document on the victim’s computer, which contacts some malicious links from which a DLL is then downloaded, starting the malware infection chain. Furthermore, each email contains a different link from which it allows the download of the Doc. If, however, it is detected that this has already been downloaded previously, the user is redirected to another site (https://www.nchsoftware[.com/). Moreover, the attachment uses the same template as the Emotet Doc.
The email text on the fake invoice with the malicious link
The Word attachment from which the DLL that infects the computer with malware is downloaded
The urls contacted by the DOC to download the Dridex DLL