New Word malware: Request for payment (PGS/73329) from PGS Services Limited

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “Request for payment (PGS/73329)”.

This email is send from the spoofed address “PGS Services Limited <>” and has the following body:

Although we have contacted you already our system is still showing that the invoice remains unpaid.

RST Support Services Limited
Rotary Watches Ltd
2 Fouberts Place


Full details are attached to this email in DOC format.

Click here to make a payment
If there is any reason why payment should not be made or if you are experiencing difficulties with making the payment please get in touch so that we can discuss the matter and stop the recovery process.

Kind regards,

Rebecca Hughes

Customer services team
PGS Services | Expert Property Care

Direct dial: 0203 819 7054
Visit our website:

10 quick questions – tell us what you think!

The embedded URL/button with “Click here to make a payment” leads to hxxps:// but so far we haven’t been able to make any connections.

The attached file 3-6555-73329-1435806061-3.doc is a 115 kB large Excel file with embedded malicious macro script that will download a trojan from a host.

The Word malware is known as LooksLike.Macro.Malware.gen!d3 (v), HEUR.VBA.Trojan.B or W97M.Dropper.KV.

At the time of writing, 4 the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 70084c788933a1bbff1bf87df316caf4d79cdff6add65c99b637004779b1b815

Update 01/12/2015 – 14:40:

The macro can download the trojan from the following locations:

The trojan can make connections to the following IPs:

The trojan is known as UDS:DangerousObject.Multi.Generic or QVM19.1.Malware.Gen.

The file 168 kB large file 9o8jhdw.exe is detected by 2 of the 55 AV engines did detect the trojan at Virus Total.
SHA256: b8e71df7a2236f1cf65ba6be02a6615217b61166e71164979d23d7254a446d1b

5 thoughts on “New Word malware: Request for payment (PGS/73329) from PGS Services Limited

  1. Just received one of these, assumed it was a scam and didn’t open the attachment or click the link. Replied advising that they will be reported to Trading Standards if they persist in chasing alleged invoice.

  2. Yes I have had 4 so far. Very clever with authentic looking fake website and testimonials to support their “authenticity”.

Comments are closed.