Fake invoice emails emails from OfficeFurnitureOnline.co.uk contains malicious Excel file


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subjects like “Invoice SI823610 from OfficeFurnitureOnline.co.uk Order Ref 4016584”.

This email is send from the spoofed address “accounts <accounts@equip4work.co.uk>” and has the following body:

Please find attached a sales invoice from OfficeFurnitureOnline.co.uk.

This email address is only for account enquiries, please check your confirmation for any information regarding the order details or delivery lead times.

Thank you for your order.

The attached file is a 61 Kb large XLS file with file names like SI823610 which contains a malicious macro script that will download other malware.

At the time of writing, 4 of the 54 AV engines did detect the malware at Virus Total which is labelled as LooksLike.Macro.Malware.gen!x3 (v), HEUR(high).VBA.Trojan or O97M/Downloader.

Use the Virus Total for more detailed information.
SHA256: 173189a2f4247f80faf91e160294099f12fa8718659a2633e662fbd9d03280c6

Update:

The macro will download a 102 kB large file from the following location: kdojinyhb.wz.cz/87yte55/6t45eyv.exe.

At the time of writing, 0 of the 54 AV engines did detect the trojan at Virus Total but it appears to be the Dridex banking trojan.

Use the Virus Total for more detailed information.
SHA256: a0ba8ae36f33597858d12db1ed576d1b9278d41b58d29d984b4b753d6570e5e9

2 thoughts on “Fake invoice emails emails from OfficeFurnitureOnline.co.uk contains malicious Excel file

  1. Can anyone give any more information on how to detect and remove the resultant infection? We saw 6t45eyv.exe getting downloaded by the Excel Macro but can;t tell what happens after that.

    • You can try by using an AV tool like Malwarebytes or Spybot S&D. Links to those tools are on the blog site under Security Tools. Hope this can help.

Comments are closed.