MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email address and contains a subject in one of the following formats:
Scan from a Xerox WorkCentre Pro $6208924
Scan from a Xerox WorkCentre Pro #7943943
Scan from a Xerox WorkCentre Pro N9700617
Body of the email:
Please open the attached document. It was scanned and sent to you using a Xerox
Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]
WorkCentre Pro Location: machine location not set
Device Name: XRX6919AA7ACDB46116749
For more information on Xerox products and solutions, please visit
The email contains a ZIP archive named Tax report.zip with the 56 kB large document Xerox_doc.exe inside.
Virus Total permlink and MD5: eadf133be4dc58050626a5fd194fc546.