Email Remittance Advice -LCDQ26 contains Excel file with malicious macro

MX Lab,, started to intercept an email security risk campaign by email with the subject “Remittance Advice -LCDQ26”.

This email is send from the spoofed addresses and has only a confidentiality disclaimer in the body of the email:

Confidentiality and Disclaimer:  This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
Please contact the sender to notify them of the error.

This email and any attached files have been scanned for the presence of computer viruses. However, you are advised that you open any attachments at your own risk.
Please note that electronic mail may be monitored in accordance with the Telecommunications (Lawful Business Practices)(Interception of Communications) Regulations 2000.

The attached file LCDQ26.xls , which is 25 kB large, is a Excel file with an embedded macro that will download the real trojan. The code in the subject and attachment file name will change with every email.

At the time of writing, the malicious Word file is not being marked as dangerous by any AV engine at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: e78fb465f9767ae897dd928714f2a329987e765259f5f66275128aa2d44ee6b5

MX Lab recommends not to open this Excel sheet or keep at least the execution of a macro disabled in the security settings to avoid macros running when opening an Excel (or Word) file.

2 thoughts on “Email Remittance Advice -LCDQ26 contains Excel file with malicious macro

  1. This morning two separate “Remittance Advice” emails arived to my inbox. The format of the “advice” number was similar to the example you give, i.e., four letters followed by two numbers, but each of the two were different.
    Thank you for your work.

Comments are closed.