Home / malware TrojanDownloader:O97M/Powdow
First posted on 03 November 2017.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:O97M/Powdow.
Explanation :
Installation
This threat typically arrives through spam email. It tries to trick users to enable macros. For example:
When the macro is enabled, the obfuscated macro code runs another PowerShell script:
The decrypted PowerShell script looks like:
This PowerShell script will start downloading the final payload from the following URLs:
- hxxp://maria-rasmus.dk/yCR/
- hxxps://unicorerecords.com/B/
- hxxp://creditbox.fr/WglkC/
- hxxp://emmanet.be/YliDtuMa/
- hxxp://stern68.de/kYZ/
Payload
Downloads other malware
The macro tries to download other malware including PWS:Win32/Fareit.P.
We have seen the following files downloaded from the mentioned URLs:
- 8b71c966303b11e9c0296c5ca5dbcae99daa56ca
- ca155f82586b6eceecf3ce06978e3d7b90bc8cd6
- d32dbc697c4323b142dbf3ab90fba32a7b16c581
- e44a7e7252887a745de69e1b1b598b1e67b7c94b
Analysis by Duc NguyenLast update 03 November 2017
