Malware spam: “Please find attached a XLS Invoice 378296” / / Ansell Lighting

This fake financial spam comes with a malicious attachment, purporting to come from Ansell Lighting:

Subject:     Please find attached a XLS Invoice 378296
From: (
Date:     Tuesday, 29 November 2016, 10:32

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Please find attached your Invoice for Goods/Services recently delivered. If you have any questions, then pleasedo not hesitate in contacting us.Karen Lightfoot -Credit Controller, Ansell Lighting, Unit 6B, Stonecross Industrial Park, Yew Tree Way, WA3 3JD. Tel: +44 (0)5216 154 830 Fax: +44 (0)5216 154 830

The email comes from a random creditcontrol@something email address. Attached is a malicious Excel file with a name such as



My usual reliable source says that the various versions of Excel spreadsheet download a component form one of the following locations:


Hybrid Analysis

shows that this is Locky ransomware, phoning home to: [hostname:] (Megaserver LLC, Russia) [hostname:] (OVH, France) (Selectel SPb, Russia)

A DLL is dropped with an MD5 of b46f0fcb0f962f41b5b43725b440dabb and a VirusTotal detection rate of



Recommended blocklist:

Source: Dynamoo’s Blog @ November 29, 2016 at 04:30AM