MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “An employee has been terminated”.
This email is send from the spoofed addresses and has the following body:
An Employee has just been terminated.
Name: Michael Harney
Employee profile: Link
Termination Date: 11/22/2016
The embedded URL leads to hxxp://intranet.invoicesharepoint.com/Emplid/employee.php?id=cGF5bWVudEBvY3VsYXIuYmUN and the file Emplid6283.xls can be downloaded.
The file Emplid6283.xls is an Excel sheet and shows the message “Document created in earlier version of Microsoft Office. To view this document, please “Enable Editing” from the yellow bar and the click “Enable Content”. See screenshot:
The Excel will download the malicious payload from hxxp://profile.invoice-sharepoint.com/Emplid/officeup.exe