Malicious Word attached to fake email Copy of your 123-reg invoice ( 123-015309323 )from

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “Copy of your 123-reg invoice ( 123-015309323 )” – number in the subject may change.

This email is send from the spoofed address “” and has the following body:


Thank you for your order.

Please find attached to this email a receipt for this payment.

Help and support

If you are still stuck why not contact our support team? Simply visit our 123-reg Support Centre and click on the Ask a Question tab.

Thank you for choosing 123-reg.

The 123-reg team.

About us | Privacy policy
© Copyright 123-reg – Part of Webfusion Ltd

Webfusion Ltd is a company registered in England and Wales with company number 05306504. Our VAT number is 927 1292 22. The address of our registered office is: 5 Roundwood Avenue, Stockley Park, Uxbridge, Middlesex, UB11 1FF.

Screenshot of the fake message:

The attached file 123-reg-invoice.doc which is 53kB large, is a malcious Word file tha contains a macro with the instructions to download other malware on the system.

The malicious Word file is detected as MO97:Downloader-WY [Trj], Macro.Trojan-Downloader.Agent.EB@gen, W97M/Downloader or (v)

At the time of writing, 5 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 4baef401edc96a5e777724dbfded6ad5536f5badc88ec8f9c42c8dc35d201ba8

MX Lab recommends not to open this Word file or at least disable macros.

One thought on “Malicious Word attached to fake email Copy of your 123-reg invoice ( 123-015309323 )from

  1. Thank you, I’ve had these to at the same as some of my domains were being renewed but I thought they were suss, that’s why i gogled them and found your confirmation of my susspicions.

Comments are closed.