New Word malware: Request for payment (PGS/73329) from PGS Services Limited


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Request for payment (PGS/73329)”.

This email is send from the spoofed address “PGS Services Limited <rebecca@pgs-services.co.uk>” and has the following body:

Although we have contacted you already our system is still showing that the invoice remains unpaid.

RST Support Services Limited
Rotary Watches Ltd
2 Fouberts Place
London

W1F 7PA

Full details are attached to this email in DOC format.

Click here to make a payment
If there is any reason why payment should not be made or if you are experiencing difficulties with making the payment please get in touch so that we can discuss the matter and stop the recovery process.

Kind regards,

Rebecca Hughes

Customer services team
PGS Services | Expert Property Care

Direct dial: 0203 819 7054
Email: rebecca@pgs-services.co.uk
Visit our website: www.pgs-services.co.uk

10 quick questions – tell us what you think!
http://www.pgs-services.co.uk/feedback/

The embedded URL/button with “Click here to make a payment” leads to hxxps://www.pgs-services.co.uk/secure/pgs-payment.php?a=73329&b=3&c=6555&d=649a79cf0342f920d6b62e7f73777dc9&e=865c0c0b4ab0e063e5caa3387c1a8741 but so far we haven’t been able to make any connections.

The attached file 3-6555-73329-1435806061-3.doc is a 115 kB large Excel file with embedded malicious macro script that will download a trojan from a host.

The Word malware is known as LooksLike.Macro.Malware.gen!d3 (v), HEUR.VBA.Trojan.B or W97M.Dropper.KV.

At the time of writing, 4 the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 70084c788933a1bbff1bf87df316caf4d79cdff6add65c99b637004779b1b815

Update 01/12/2015 – 14:40:

The macro can download the trojan from the following locations:

rotulosvillarreal.com/~clientes/6543f/9o8jhdw.exe
cru3lblow.xf.cz/6543f/9o8jhdw.exe
data.axima.cz/~krejcir/6543f/9o8jhdw.exe

The trojan can make connections to the following IPs:

94.73.155.12
89.32.145.12
221.132.35.56
157.252.245.29

The trojan is known as UDS:DangerousObject.Multi.Generic or QVM19.1.Malware.Gen.

The file 168 kB large file 9o8jhdw.exe is detected by 2 of the 55 AV engines did detect the trojan at Virus Total.
SHA256: b8e71df7a2236f1cf65ba6be02a6615217b61166e71164979d23d7254a446d1b

5 thoughts on “New Word malware: Request for payment (PGS/73329) from PGS Services Limited

  1. Just received one of these, assumed it was a scam and didn’t open the attachment or click the link. Replied advising that they will be reported to Trading Standards if they persist in chasing alleged invoice.

  2. Yes I have had 4 so far. Very clever with authentic looking fake website and testimonials to support their “authenticity”.

Comments are closed.