Fake email from scanner@***** which includes malicious XLS sheet


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email that is disguised in such a way that it appears to come from an  internal scanner device in your office.

This email is send from the spoofed address “scanner@*yourdomain*” and has the following body:

This E-mail was sent from “RNPF117EA” (Aficio MP C5000).

Scan Date: Wed, 11 Nov 2015 12:40:57 +0300
Queries to: scanner@*yourdomain*

The attached file name contains a string of random numbers like 20151029110925329.xls. This Excel sheet contains mailicious macro coding that will download other malware.

The Excel file is detected by 3 of the 52 AV engines at Virus Total and is known as LooksLike.Macro.Malware.gen!x3 (v) or O97M/Downloader.

Use the Virus Total for more detailed information.
SHA256: b2818610715f6e8e9a480b8fb731b1408be157a7f75ca36f0dd34efd28598822