New Word malware: CWIH8974 PAYMENT RECEIVED

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “CWIH8974 PAYMENT RECEIVED”.

This email is send from the spoofed address “Avril Sparrowhawk <>” and has the following body:

Good afternoon

Thanks very much for your payment we recently from you, however there was a missed invoice. Can you just confirm this will be included in the next payment run, or whether there were any queries with this particular invoice?

I have attached the invoice for your reference.

Kind regards

Avril Sparrowhawk
Credit Controller
Les Caves De Pyrene
Pew Corner
Old Portsmouth Road

‘ +44 (0)1483 554784
6 +44 (0)1483 455068
Email Signature

The attached file CWIH8974.doc is a Word file with malicious macro.

The email is a variant on the previous campaigns that has been reported:

New Word malware: British Gas – A/c No. 602131633 – New Account

3 thoughts on “New Word malware: CWIH8974 PAYMENT RECEIVED

  1. Went a few days blessed with zero activity, then late Saturday this showed up:

    Subject: American Express Update
    “American Express”

    “Dear American Express User,

    During our server routine update we noticed you enter wrong detail. We implore you

    to download the attached file to re-verify your details.

    NOTE: You are strictly advised to match your information correctly to avoid service


    Thank you for your co-operation.


    American Express customer care

Comments are closed.