Home / malwarePDF  


First posted on 03 November 2017.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:O97M/Powdow.

Explanation :


This threat typically arrives through spam email. It tries to trick users to enable macros. For example:

When the macro is enabled, the obfuscated macro code runs another PowerShell script:

The decrypted PowerShell script looks like:

This PowerShell script will start downloading the final payload from the following URLs:

  • hxxp://maria-rasmus.dk/yCR/
  • hxxps://unicorerecords.com/B/
  • hxxp://creditbox.fr/WglkC/
  • hxxp://emmanet.be/YliDtuMa/
  • hxxp://stern68.de/kYZ/


Downloads other malware

The macro tries to download other malware including PWS:Win32/Fareit.P.

We have seen the following files downloaded from the mentioned URLs:
  • 8b71c966303b11e9c0296c5ca5dbcae99daa56ca
  • ca155f82586b6eceecf3ce06978e3d7b90bc8cd6
  • d32dbc697c4323b142dbf3ab90fba32a7b16c581
  • e44a7e7252887a745de69e1b1b598b1e67b7c94b

Analysis by Duc Nguyen

Last update 03 November 2017