Invoice in malicious Word file with fake emails from UK Fuels Ltd


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “UK Fuels E-bill”.

This email is send from the spoofed address “invoices@ebillinvoice.com” and has the following body:

Customer No : 35056
Email address : uebs2@spiritmediaworks.co.uk
Attached file name : 35056_49_2014.doc

Dear Customer

Please find attached your invoice for Week 49 2014.

In order to open the attached DOC file you will need
the software Microsoft Office Word.

If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Yours sincerely

Customer Services
UK Fuels Ltd

======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================

With the email comes a 91 kB large file named 35056_49_2014.doc that is not detected as a potential risk by the 56 engines of Virus Total. In this case this is a malicious Word document that will try to execute a macro when opened in order to download a binary wich will contain the real trojan.

The binary will be downloaded from hxxp://KAFILATRAVEL.COM/js/bin.exe and is 77 kB.

At the time of writing, 3 of the 56 AV engines do not detect the malicious Word file Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: 9fae183a06c6980b8f6662156612e395e70cf75aa1c266037fcbbd283e9923ad

6 thoughts on “Invoice in malicious Word file with fake emails from UK Fuels Ltd

  1. Found it in my inbox this morning, as I hadn’t been able to acces my emails for several days (thanks talktalk) it nearly caught me out, but there was no account number, no name and any way the mem saab pays all the bills!

  2. our community centre got this this morning but did not open the document (phew!)
    we looked up “ebillinginvoice.com” and down the page found you

    many thanks guys!!

    doug fowler

  3. Very nearly opened this, I don’t have Word installed so my usual programme Pages, tried but nothing appeared. I’m presuming the trojan failed to download and, as I am using a Mac, it would effect my machine anyway…. fingers crossed. Thanks anyway for making your page so easy to find.
    Max

  4. Thanks for the warning e-mail arrived today I was suspicious researched UK Fuels ok, researched ebillingvoice again ok dug deeper till I found you. Thanks very much keep up the good work.

  5. Same as Les Wynn’s comment: Thanks for the warning. e-mail arrived today. I was suspicious and researched UK Fuels., Also checked ebillingvoice.Then saw your link. Thanks very much; keep up the good work. Link to www dot velocitycardmanagement dot com which looks OK but I didn’t follow any links on it. Seem to be getting a lot of same or similar MS Office type emails. Usually .doc but sometimes .xls. I don’t enable macros by default so not really a problem.

Comments are closed.