Looks like the criminal community needed a last-minute infusion of cash. Earlier today the EdgeWave Threat Detection Center saw the first samples of a Christmas themed attack using an obfuscated VB macro within a Microsoft Word attachment.

As usual, the email comes from a spoofed sender, this time compliments of a compromised server in Germany. In fact, the IP address of this server,, is identified via multiple open source intelligence communities as being compromised.

Maintaining the trend of “less is more” phishing campaigns, the email itself is basic enough and nothing that cries out “Be careful!”


Opening the attachment presents some very “helpful” text on how to successfully open the Word document.


Once opened, the VB macro calls out to download a member of the trojan.valyria family. There are multiple malware variants from this family and we are still researching what this version does. Bottom line, there is nothing good that will come from opening the attachment.

With the hustle and bustle of last-minute shopping, please take extra special care with any inbound email using the following:

Subject lines:

  • [NAME] e-alert Happy Christmas Message
  • [NAME] Christmas greeting email!
  • Christmas congratulation
  • Christmas eCard
  • Merry Christmas to you! Christmas greetings

Attachment Names:

  • greetingcard.doc
  • Greeting eCard 2018.doc
  • GreetingCard.doc
  • Greeting Card Christmas.doc
  • greeting card.doc

Technical Information:

  • MD5 – 05b2eab5f079e030a00310154760ea6e
  • SHA256 – a8348f98c20431c48e6b38afd01eaf966ca551d6079ea82d974b0a19b12cb64e