New Word malware: Gompels Healthcare Ltd Invoice


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Gompels Healthcare Ltd Invoice”.

This email is send from the spoofed address “Gompels Healthcare ltd <salesledger@gompels.co.uk>” and has the following body:

Hello
Please see attached pdf file for your invoice
Thank you for your business

The attached file fax00375039.DOC is a Word file with malicious macro.

The malware is detected as HEUR.VBA.Trojan.d or virus.macos.gen.33 by 2 of the 53 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: adce8fddf3163cc79d7811ddb93408f60a95595f79d5ddadf7ca0da3e43244e7

Malware will be downloaded by the malicious macro from the following locations:

return-gaming.de/8h75f56f/34qwj9kk.exe
phaleshop.com/8h75f56f/34qwj9kk.exe
bolmgren.com/8h75f56f/34qwj9kk.exe

The malware is detected as UDS:DangerousObject.Multi.Generic by 1 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: ac424d8ef67dbb1ee98568f9a96376370ce0cf1f9d03403d928498a57c54abd9

3 thoughts on “New Word malware: Gompels Healthcare Ltd Invoice

  1. I have been undergoing cancer treatment, so have a lot of health care invoices. I opened this on my iPhone 6, thinking it was legitimate. What do I need to do to get rid of it?

    • Really sorry you’ve been a victim of this callous attack. This virus appears to be targeted at Microsoft Word, so opening it on an iPhone shouldn’t infect your phone 🙂

  2. We found out that somebody was spoofing us yesterday. Although it’s not come from us we’ve put in place some extra security and all our e-mails are now DKIM signed, which hopefully will reduce the number of these mails being received by people.

Comments are closed.