I received this gem of an email to my work inbox this morning. Ran the spreadsheet that was attached through Hybrid Analysis and Virustotal and they didn’t find anything. Hell, Google didn’t detect anything which made me raise an eyebrow. It’s definitely doing something to Hybrid Analysis’s VM since the spreadsheet opened and then closed, didn’t display anything. If you intend to open this spreadsheet for yourself, please note that I have no idea what it does. I have no idea if it has any VM-busting code it writes when executing. Download and execute in your own test environments at your own risk.
I have emailed the person in the email it was intended for to alert them of this scam/spam email. I guess I'll find out if it's being operated by the same person or if it's an innocent and potential victim.
Headers:
From: Margaret Hobbs <[email protected]>
To: [potentially compromised email, will be edited if the email in question is used by the same person]
Body:
Given invoice specification 522156
[Attached Excel (.xls) named "document_522156.xls" sample available on https://hybrid-analysis.com/sample/e6d81b6e5a1d0e53e87d9f17d2f37bddfb7d09af2c8fd9e93e5c108aea8d4212/5e9d979ab66ff14e051579fa]