Fake email “Invoice” from HEXIS (UK) LIMITED contains malicious Word file


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Invoice”.

This email is send from the spoofed address “Invoice from Hexis <Invoice@hexis.co.uk>” and has the following body:

Sent 15 JAN 15 08:30

HEXIS (UK) LIMITED
7 Europa Way
Britannia Park
Lichfield
Staffordshire
WS14 9TZ

Telephone 01543 411221
Fax 01543 411246

The attached file S-INV-CREATIFX-465219.doc is a Word file with embedded macro that wll download the file 115 kB large executable bin.exe from the following locations:

hxxp://dramakazuki.kesagiri.net/js/bin.exe
hxxp://cassiope.cz/js/bin.exe

The trojan is known as UDS:DangerousObject.Multi.Generic, Trojan.FakeMS.ED or PE:Malware.XPACK-LNR/Heur!1.5594.

At the time of writing, 4 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 87f639a395dc72d9fa2aa517ec2776ee3c9e9c2fa71ba50d832e0ff012373b22

One thought on “Fake email “Invoice” from HEXIS (UK) LIMITED contains malicious Word file

Comments are closed.