New Word malware: Invoice / Credit Note Express Newspapers (S174900)

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “Invoice / Credit Note Express Newspapers (S174900)”.

This email is send from the spoofed address “” and the following body content:

Please find attached Invoice(s) / Credit Note(s) from Express Newspapers.

If you have any queries with it, or to request that future documents get sent to a different email address for processing, please contact: or telephone 020 8612 7149.

N.B. Please do not reply to this email address as it is not checked.

Kind Regards,

Express Newspapers
Finance Dept – 4th Floor,The Northern & Shell Building
Number 10 Lower Thames Street, London EC3R 6EN

Any views or opinions are solely those of the author and do not necessarily represent those of Express Newspapers

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.If you are not the intended recipient of this message please do not read ,copy, use or disclose this communication and notify the sender immediately. It should be noted that any review, retransmission, dissemination or other use of, or taking action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. E-mail communications may be monitored.

The attached file S174900.DOC is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d by 1 of the 54AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: cd2d4f9df7bb98d6d30c9b302b5e2e0089d838c45f68dfa0bed0e4b7c98245b3

The Word macro will download the payload from the following locations:

The malware is detected as UDS:DangerousObject.Multi.Generic by 1 of the 54 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 89c73c42e8cd8d20aac5878c4585b9be2ce12447d6b201d3bd1407142dd60bbf