Fake email “Invoice Document SI528880” contains malicious Excel attachment


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice Document SI528880”.

This email is send from the spoofed address “Lucie Newlove {lucie@hiderfoods.co.uk}” and has the following body:

Please see attached Invoice Document SI528880 from HIDER FOOD IMPORTS LTD.

ARE YOU AWARE THAT OUR NEW WEBSITE IS NOW AVAILABLE?
Please contact our Sales Department for details.

Hider Food Imports Ltd

REGISTERED HEAD OFFICE
Wiltshire Road,
Hull
East Yorkshire
HU4 6PA

Registered in England  Number : 842813

Main Tel: +44 (0)1482 561137
Sales Tel :+44 (0)1482 504333
Fax: +44 (0)1482 565668

E-Mail: mail@hiderfoods.co.uk
Website: http://www.hiderfoods.co.uk

The attached file SI528880.xls is an Excel sheet with malicious macro that will download the real malware.

The malicious  Excel is known as LooksLike.Macro.Malware.gen!x1 (v)

At the time of writing, 2 of the 55 AV engines did detect the trojan at Virus Total and two variants have been detected.

Use the Virus Total for more detailed information.
SHA256: 914ee1830e7ab60764623e78a03a27af0c362ee236a866a901b0547d60f8a5c1

Use the Virus Total for more detailed information.
SHA256: 1ecc514d0bf2b4f340d3c45b832e72d0be1cc5a86182e193221740041bb15052

Update 26.11.2015 – 13:40:

The malware is downloaded from the following host: naceste2.czechian.net/76t89/32898u.exe

The trojan is named as HEUR/QVM19.1.Malware.Gen bu 1 AV engine at Virus Total.
SHA256: 224575cfbf2a74d79c749bfc3ffcdf0c64e07313799e1cad16013cd7c56edf94

One thought on “Fake email “Invoice Document SI528880” contains malicious Excel attachment

Comments are closed.