“DoT Payment Receipt” email contains malicious Excel

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “DoT Payment Receipt”.

This email is send from the spoofed address “donotreply@transport.gov.uk” and has the following body:

[Automated message. Do not reply]

Thank you for your payment.  It is important that you print this receipt and record the receipt number as proof of your payment. You may be asked to provide your receipt details should you have an enquiry regarding this payment.


This email and any attachments are confidential and may contain legally privileged
and/or copyright material.  You should not read, copy, use or disclose any of the
information contained in this email without authorisation.  If you have received it in
error please contact us at once by return email and then delete both emails.  There is
no warranty that this email is error or virus free.

The attached file PaymentReceipt.xls is an Excel sheet with malicious macro that will download the payload from the following hosts:


The trojan is known as W32/Agent.XL.gen!Eldorado or HEUR/QVM10.1.Malware.Gen.

At the time of writing, 3 of the 53 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: e3ac1aa13026feb600371d2ae37a55b682d3efb857dd6573da7987f7c01f52de

One thought on ““DoT Payment Receipt” email contains malicious Excel

Comments are closed.