I’ve had two emails today to different addresses with subject lines similar to:
“ATTN: Outstanding Invoices – [4AF8F5] [April|May]”
and
“ATTN: Outstanding Invoices – [37B4C3] [April|May]”
Both contained a .xls attachment.
SHA256: 18c1edd9dd7082ad33ed2663f0401f0a3dcd23933fe5d44ab5b506879d5311aa
SHA256: ec269eb075525d99c32265a5df78b16e308041c8edd5ffd0537571fc830816c2
VirusTotal Report which is currently undetected by all antivirus products.
“41160f6_37B4C3.xls” and “d4cb3b62_4AF8F5.xls”
The 41160f6 and d4cb3b62 (the bit before the _) contains the start of the address it was sent to. For example thecomputerperson_83F32F.xls
As with a lot of these files I’ve had through recently, the attachment appears to be corrupt so no further analysis can be undertaken in Excel.
When opened in notepad the leaks a few things such as the folder it was made in:
file:///C:/EC2C4CD9 aka. C:\EC2C4CD9
Some files seem to reference file:///C:/EC2C4CD1/1.htm and another referenced file:///C:/EC2C4CD9/9.htm. This might suggest there is at least 9 variants of the corrupt excel file they are sending.
The full content can be found here:
https://pastebin.mozilla.org/8833190
Headers here:
Received: from [146.88.43.122] (Unknown [146.88.43.122]) by my.server.here with ESMTP ; Tue, 12 May 2015 10:39:06 +0100 Message-ID: <76E290C5.5349444@pnkh.net> Date: Tue, 12 May 2015 16:39:05 +0700 From: Concetta Gibson <Josephine.410@pnkh.net> X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0; attachmentreminder=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: <41160f6@mydomain.domain> Subject: ATTN: Outstanding Invoices - [37B4C3] [April|May] Content-Type: multipart/mixed; boundary="------------439971592007262617349636" Return-Path: Josephine.410@pnkh.net Received: from 214.116.244.87.dyn.jtglobal.com (Unknown [87.244.116.214]) by my.server.here with ESMTP ; Tue, 12 May 2015 10:33:10 +0100 Message-ID: <397F3E5F.5772347@jtglobal.com> Date: Tue, 12 May 2015 10:33:07 +0100 From: Mindy Mccullough <Kelly.dfe@jtglobal.com> X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0; attachmentreminder=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: <d4cb3b62@mydomain.domain> Subject: ATTN: Outstanding Invoices - [4AF8F5] [April|May] Content-Type: multipart/mixed; boundary="------------103609058165041523342951" Return-Path: Kelly.dfe@jtglobal.com Received: from 177-0-37-184.gnace703.e.brasiltelecom.net.br (177-0-37-184.gnace703.e.brasiltelecom.net.br [177.0.37.184]) by my.server.here with ESMTP ; Tue, 12 May 2015 13:43:55 +0100 Message-ID: <8AE5F5DA.7730387@brasiltelecom.net.br> Date: Tue, 12 May 2015 09:43:34 -0200 From: Frances Moreno <Roslyn.745@brasiltelecom.net.br> X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0; attachmentreminder=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: <myaddress@mydomain.extension> Subject: ATTN: Outstanding Invoices - [83F32F] [April|May] Content-Type: multipart/mixed; boundary="------------165998587139610237710802" Return-Path: Roslyn.745@brasiltelecom.net.br
thecomputerperson 
Pingback: “Important information” virus email | thecomputerperson