New Word malware: Invoice 15069447 from Cleansing Service Group

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “Invoice 15069447 from Cleansing Service Group”.

The malware that will be downloaded by the malicious Word macro, is already being used for a different malware campaign so the email is in fact a variant on “FW: Scan from a Samsung MFP“.

Also note that at this point, the malware on the host has been removed. However, a new download host can be used at any time so remain careful when receiving this kind of emails.

This email is send from the spoofed address “CSG <>” and has the following body:

Please see attached invoice from Cleansing Service Group.
Any queries please do not hesitate to contact us.

Cleansing Service Group
Chartwell House
5 Barnes Wallis Road
Segensworth East
PO15 5TT
Tel: 01489 776312
Fax: 01489 881369

Join us on LinkedIn Follow us on Twitter Like us on Facebook

This email (and any associated files) is intended solely for the use of the intended recipient(s) and may contain information that is confidential, subject to copyright or constitutes a trade secret. Any views or opinions expressed in this email are solely those of the author and do not necessarily represent those of Cleansing Service Group Ltd. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error please notify us immediately by replying to the message and deleting it from your computer. Emails sent to and from us may be monitored.

Cleansing Service Group Ltd –

Registered Address: Chartwell House, 5 Barnes Wallis Road, Segensworth East, Fareham, Hampshire, PO15 5TT

Registered in England and Wales – Number 530446

The attached file 15069447.doc is a Word file with malicious macro that will download new malware from:


The malware is detected as LooksLike.Macro.Malware.gen!d1 (v), or Troj/DocDl-BC by 6 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: af3bc183a3fdb6d93267aeabeb339bb519468a991d99f2ef4008d81667f693a8