Emails “Invoice ID:248c90 in attachment.” contains Word file with malicious macro

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “Invoice ID:248c90 in attachment.” (numbers will vary in each subject line and also in the attached file name). This email is send from the spoofed addresses and has no body content.

The attached file 248c90.doc is in fact an Word file with embedded macro that will download the real trojan from different hosts.

At the time of writing, 0 of the 56 AV engines did detect the malware at Virus Total.
SHA256: 0f1b5377c8dd493bfb9c9fcd980e3ef88c0c68c03abfabf813307295f38485c0

MX Lab recommends not to open the attached Word file or at least make sure that macro’s are disabled.