MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Your Sage Pay Invoice INV00318132”. The message doesn’t originate from Sage Pay, the online payment system provider, but is a forgery with a malicious attachment.
This email is send from the spoofed address “Sagepay EU <email@example.com>” and has the following body:
Please find attached your invoice.
We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones. You should have already received an email that outlined the changes, however if you have any questions please contact firstname.lastname@example.org or call 0845 111 44 55.
The attached file INV00318132_V0072048_12312014.xls is a Word file with malicious macro.
The malware is detected as HEUR.VBA.Trojan.d, VBA/TrojanDownloader.Agent.ASD, heur.macro.download.cc, X2KM_DRIDEX.AW or Troj/DocDl-AZU by 8 of the 54 AV engines at Virus Total.
The macro will get the payload from hxxp://www.phraseculte.fr/09u8h76f/65fg67n
The malware is detected as UDS:DangerousObject.Multi.Generic, BehavesLike.Win32.PackedAP.ch or PE:Malware.Generic(Thunder)!1.A1C4 [F] by x of the 54 AV engines at Virus Total.
Use the Virus Total for more detailed information.