MSGID: 2:221/1.58@fidonet e2496f20
PID: OpenXP/5.0.43 (Win32)
CHRS: ASCII 1
TZUTC: -0400
Hello!

There's a bogus .xls file going around with a malware payload. This is the  
second such email I've receive in about 3 days:

  eg. invoice_554137.xls

What is interesting.. although the filename downloaded is named as per  
above,  VirusTotal reports the filename to be different!  So, it's  
behaving like a file within a file within a file within.. etc.


Processing it at VirusTotal produces:

bff54499db6c578c8b3b842c70d8cb9d30bbe6ec4b04726bfbfaa104346a92ce
invoice_908873.xls
65.50 KB

9 engines detected this file

ESET-NOD32
DOC/TrojanDownloader.Agent.AUI

Ikarus
Win32.SuspectCrc

Kaspersky
HEUR:Trojan.MSOffice.Pederr.gen

Microsoft
Trojan:Win32/Emali.A!cl

Qihoo-360
Generic/Trojan.07c

Sophos AV
Troj/DocDl-XSO

Symantec
Trojan.Mdropper

TACHYON
Trojan/XF.Downloader.Gen

ZoneAlarm by Check Point
HEUR:Trojan.MSOffice.Pederr.gen

BitDam ATP
MALWARE

Lastline
MALWARETROJAN

Ad-Aware
Undetected

AegisLab
Undetected

AhnLab-V3
Undetected

ALYac
Undetected

Antiy-AVL
Undetected

Arcabit
Undetected

Avast
Undetected

Avast-Mobile
Undetected

AVG
Undetected

Avira (no cloud)
Undetected

Baidu
Undetected

The "popular" engines: AVG, Avast, Ad-Aware, and so on down the list don't  
detect this thing.  Bad news.  Beware!


  ../|ug

--- OpenXP 5.0.43
 * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
SEEN-BY: 1/123 90/1 103/705 154/10 203/0 221/1 6 360 227/114 229/101
SEEN-BY: 229/426 452 1014 240/5832 249/206 317 400 280/464 5003 288/100
SEEN-BY: 292/854 310/31 317/3 322/757 342/200 396/45 423/81 120 712/848
SEEN-BY: 770/1 2452/250
PATH: 221/1 280/464 229/426