MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Message from mibser_00919013013”.
This email is send from the spoofed address “scan@***” – *** is replaced by your own domain – and has an empty body.
The attached file Smibser_00915110211090.xls is a 81 kB large Excel file with embedded malicious macro which will download the payload from velitolu.com/89u87/454sd.exe.
The Excel sheet is detected and labelled as LooksLike.Macro.Malware.gen!x3 (v) or heur.macro.download.cc by 3 of the 55 AV engines did detect the trojan at Virus Total.
The downloaded malware 454sd.exe is detected as BehavesLike.Win32.Backdoor.cc, HEUR/QVM07.1.Malware.Gen or PE:Malware.Obscure/Heur!1.9E03 [F] by 3 of the 55 AV engines at Virus Total. SHA256: 2078db0becb99c19f4a9fbab2b1cb7c6b2af2095659bcfbc034998e62688b8f9