MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Invoice”.
This email is send from the spoofed address “Invoice from Hexis <Invoice@hexis.co.uk>” and has the following body:
Sent 15 JAN 15 08:30
HEXIS (UK) LIMITED
7 Europa Way
Telephone 01543 411221
Fax 01543 411246
The attached file S-INV-CREATIFX-465219.doc is a Word file with embedded macro that wll download the file 115 kB large executable bin.exe from the following locations:
The trojan is known as UDS:DangerousObject.Multi.Generic, Trojan.FakeMS.ED or PE:Malware.XPACK-LNR/Heur!1.5594.
At the time of writing, 4 of the 57 AV engines did detect the trojan at Virus Total.