New Excel malware: Invoice No.504514 from Calendars and Diaries of Bristol Limited


MX Lab, http://www.mxlab.eu, started to intercept a new variant of a previous malware distribution campaign by email but this time with the subject “Invoice No.504514”, where the fake email is sent from the spoofed address “Sharon Samuels <sharons31@brunel-promotions.co.uk>” and has the following body:

 Good morning

Please find attached your latest invoice, for your attention.

Please be advised that your goods have been despatched for delivery.

Regards

Sharon

——————————————–
Calendars and Diaries of Bristol Limited
Hope Road
Bedminster

BRISTOL
Bristol
BS3 3NZ
United Kingdom
Tel:01179636161
Fax:01179664235

The attached file IN504514.xls is an Excel sheet with malicious macro that will download other files.

The malware is detected as HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN or heur.macro.download.cc by 4 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 3022caeffabdcbcd6d7d84ad24a1b7f17aedfffe3c743751dc88445c07566852

The macro will download the file from the following host:

hxxp://winnig.privat.t-online.de/98g654d/4567gh98.exe

The downloaded file, 4567gh98.exe, is the same malware as specified in the previous campaign New Word malware: Documentation: Your Order Ref: SGM249/013.