Malware Email: “Scanned document from MX-2600N”/”[email protected]

This fake scanned document has a malicious payload attached:

FROM: [email protected]
REPLY TO: [email protected]
SUBJECT: Scanned document from MX-2600N
DATE:Sun, 11 Oct 2015 13:59:06

Scanned document from MX-2600N

Attached file is scanned document in XLS format. The filename of the attached file is: [email protected]victimdomain.tld_20151011_160214.xls (where victimdomain.tld is the victim’s own domain)

File name: [email protected]_20151011_160214.xls
File size: 103.5 KB ( 105984 bytes )
MD5 hash: 9e3f2ef34def90b30b8c1e3ea6ef421f
SHA1 hash: a3f55fa1ae7026d692df893a5b7c22743e15c9be
SHA256 hash: 20b8c4dcefcb1fbb38c4bf63a504b30af9bfeb56923d4e2d52bf78ab8683f5bb
Detection ratio: 28 / 56
First submission: 2015-10-07 09:17:03 UTC
VirusTotal link:
Hybrid-Analysis link:

Further analysis to the excel spreadsheet indicates that it contains malicious macros (Analysis of the XLS file has already been performed by @Dynamoo and posted to pastebin ). The file would download a binary from the URL below


The executable is already detected by VT (28/52 )

Leave a Reply