Invoice-Themed Phishing Email Delivering Macro-Enabled Spreadsheet

On 13 April 2026, finance employees at a logistics company received phishing emails with an XLSM attachment (Invoice_04132026.xlsm) that prompted enabling macros; enabling them launched PowerShell to fetch a second-stage binary from http://185.14.31.77/docs/update.bin, after which infected hosts contacted 91.243.44.109, a scheduled task named OfficeInvoiceSync was created for persistence, and a dropped file inv_cache.exe (SHA256:f11ec10d9f3f4dbb9a90fa12d3b1b2e30b497f2bbdc3c4c5c4766e4d71d87911) was observed. The sender address used was accounts@vendor-paymenthelp.com. The campaign is characterized as phishing-based initial access to deploy malware and enable follow-on credential theft.