New Excel malware: Purchase Order 124658 from CliniMed Limited


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Purchase Order  124658”.

This email is send from the spoofed address “Gina Harrowell <gina.harrowell@clinimed.co.uk>” and has the following body:

Sent 2 DEC 15 09:18

CliniMed Ltd
Cavell House
Knaves Beech Way
Loudwater
High Wycombe
Bucks
HP10 9QY

Telephone 01628 850100
Fax 01628 850331

From: CliniMed Limited

Company Registration No: 01646927

Registered Office: Cavell House, Knaves Beech Way,
Loudwater, High Wycombe, Bucks, HP10 9QY

The contents of this e-mail are confidential to the sender and the addressee. If you are not the addressee, or responsible for delivering to the addressee, please notify us immediately by telephoning our IT Support on 01628 850100 (UK) or +44 1628 850100 (international) and delete the message from your computer without copying or forwarding it or disclosing its contents to any other party. CliniMed Limited cannot accept any responsibility for changes made to this message after it was sent and you should not rely on information given in the message without obtaining written confirmation. It is the responsibility of the addressee to scan incoming mail for viruses and CliniMed Limited accepts no liability or responsibility for viruses. Opinions expressed in this e-mail are those of the sender and may not reflect the opinions and views of CliniMed Limited.

The attached file P-ORD-C-10156-124658 is 94 kB large and is an Excel with malicious macro.

The Excel is detected as LooksLike.Macro.Malware.gen!x3 (v), Trojan.Script.MLW.dyxcgi, heur.macro.download.cc or HEUR.VBA.Trojan.

At the time of writing, 5 the 55 AV engines did detect the Excel malware at Virus Total.
SHA256: 96a1cc638a0beecce0fd3ada82901009993d0ef5f76dac4e6ccf30ce2d3bc8ea

The malcious macro in the Excel file will download additional 328 kB large malware executable from the following hosts:

det-sad-89.ru/4367yt/p0o6543f.exe
vanoha.webzdarma.cz/4367yt/p0o6543f.exe

The trojan is known as Troj.Downloader.W32.Obfuscated, BehavesLike.Win32.Dropper.fh or HEUR/QVM10.1.Malware.Gen.

At the time of writing, 3of the 54 AV engines did detect the trojan at Virus Total.
SHA256: 450349f6ceede5c78f6eb26af82b1e5e7771b269fbb5bba7419d5a26d6b03f0c

One thought on “New Excel malware: Purchase Order 124658 from CliniMed Limited

Comments are closed.