MX Lab, http://www.mxlab.eu, started to intercept a new variant of a previous malware distribution campaign by email but this time with the subject “Invoice No.504514”, where the fake email is sent from the spoofed address “Sharon Samuels <firstname.lastname@example.org>” and has the following body:
Please find attached your latest invoice, for your attention.
Please be advised that your goods have been despatched for delivery.
Calendars and Diaries of Bristol Limited
The attached file IN504514.xls is an Excel sheet with malicious macro that will download other files.
The malware is detected as HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN or heur.macro.download.cc by 4 of the 54 AV engines at Virus Total.
The macro will download the file from the following host:
The downloaded file, 4567gh98.exe, is the same malware as specified in the previous campaign New Word malware: Documentation: Your Order Ref: SGM249/013.