New fake email PL REMITTANCE DETAILS ref1790232EG with malcious XLS in the wild


MX Lab, http://www.mxlab.eu, started to intercept a new distribution campaign by email with the subject “PL REMITTANCE DETAILS ref1790232EG (number at the end may vary with each email)”

This email is send from the spoofed addresses and has the following body:

The attached remittance details the payment of £344.29 made on 16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

The attached file 1790232EG.xls is a malicious Excel sheet with macro that will download a file from another location with the payload.

Screenshot of the XLS:

The malicious XLS  is detected  by 1 of the 55 AV engines at Virus Total and is labelled heur.macro.download.c.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: e6017c6355af0aed24b70b62c8684842f715600e75df4b279c8653f428b6cae3