MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “CWIH8974 PAYMENT RECEIVED”.
This email is send from the spoofed address “Avril Sparrowhawk <Avril.Sparrowhawk@lescaves.co.uk>” and has the following body:
Thanks very much for your payment we recently from you, however there was a missed invoice. Can you just confirm this will be included in the next payment run, or whether there were any queries with this particular invoice?
I have attached the invoice for your reference.
Les Caves De Pyrene
Old Portsmouth Road
‘ +44 (0)1483 554784
6 +44 (0)1483 455068
The attached file CWIH8974.doc is a Word file with malicious macro.
The email is a variant on the previous campaigns that has been reported: