Email based threat in message “An employee has been terminated”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “An employee has been terminated”.

This email is send from the spoofed addresses and has the following body:

An Employee has just been terminated.

Name: Michael Harney

Employee profile: Link

Emplid: 6283

Rcd#: 0

Termination Date: 11/22/2016

The embedded URL leads to hxxp://intranet.invoicesharepoint.com/Emplid/employee.php?id=cGF5bWVudEBvY3VsYXIuYmUN and the file Emplid6283.xls can be downloaded.

The file Emplid6283.xls is an Excel sheet and shows the message “Document created in earlier version of Microsoft Office. To view this document, please “Enable Editing” from the yellow bar and the click “Enable Content”. See screenshot:

The Excel will download the malicious payload from hxxp://profile.invoice-sharepoint.com/Emplid/officeup.exe

The malicious Excel sheet is detected by 0/54 AV engines at Virus Total. Analysis is available on Malwr and Hybrid Analysis.