New Excel malware: Your Sage Pay Invoice INV00318132

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “Your Sage Pay Invoice INV00318132”. The message doesn’t originate from Sage Pay, the online payment system provider, but is a forgery with a malicious attachment.

This email is send from the spoofed address “Sagepay EU <>” and has the following body:

Please find attached your invoice.

We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones. You should have already received an email that outlined the changes, however if you have any questions please contact or call 0845 111 44 55.

Kind regards

Sage Pay

The attached file INV00318132_V0072048_12312014.xls is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d, VBA/TrojanDownloader.Agent.ASD,, X2KM_DRIDEX.AW or Troj/DocDl-AZU by 8 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 5ed7b6f362abbf470381d47282d58f58035cb60ae6a667c2709bd02ec68f6c36

The macro will get the payload from hxxp://

The malware is detected as UDS:DangerousObject.Multi.Generic, or PE:Malware.Generic(Thunder)!1.A1C4 [F] by x of the 54 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256:f 0f317116470f500a30e47fc3b4300e05609afa96d03f9ac311abf6dc29be9b2