MX Lab, http://www.mxlab.eu, started to intercept a new distribution campaign by email with the subject “PL REMITTANCE DETAILS ref1790232EG (number at the end may vary with each email)”
This email is send from the spoofed addresses and has the following body:
The attached remittance details the payment of £344.29 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.
The attached file 1790232EG.xls is a malicious Excel sheet with macro that will download a file from another location with the payload.
Screenshot of the XLS:
The malicious XLS is detected by 1 of the 55 AV engines at Virus Total and is labelled heur.macro.download.c.