Sponsored by..

Thursday, 15 January 2015

Malware Spam: "HEXIS (UK) LIMITED" / "Invoice from Hexis"

This fake invoice has a malicious attachment. It does not comes from Hexis UK Ltd, it is a forgery. Hexis is not sending the spam, nor have their systems been compromised in any way.

From:    Invoice from Hexis [Invoice@hexis.co.uk]
Date:    15 January 2015 at 06:36
Subject:    Invoice

Sent 15 JAN 15 08:30

7 Europa Way
Britannia Park
WS14 9TZ

Telephone 01543 411221
Fax 01543 411246 
Attached is a malicious Word document S-INV-CREATIFX-465219.doc which actually comes in two different versions (perhaps more) with low detection rates [1] [2] containing two slightly different macros [1] [2] which download a component from one of the following locations:


This has a VirusTotal detection rate of 3/57. That report shows the malware phoning home to (1&1 Internet, US) which is a familiar C&C server which you should definitely block traffic to. My sources also identify a couple of other IPs, giving a recommended blocklist of:

UPDATE: the Malwr report shows that it drops a DLL with a VirusTotal detection rate of just 1/57.


naszfranio said...

Dear Customer,

Hexis UK Ltd has had their E-mail account hacked early this morning the hacker is sending emails that look like they are coming from Hexis with the following email address (invoice@hexis.co.uk).

If you receive an email from Hexis and are not expecting it then please DO NOT OPEN the email & simply delete it.

Please note that due to huge amount of emails that have been sent, we are receiving a very very high telephone demand from thousands of people.

Should you wish to place an order with Hexis then please bare with us or email us at sales@hexis.co.uk

We thank you for your understanding.

Ronny said...

I got this spam email and I can't seem to delete it from my Windows Live Mail inbox. Please help!! I have not opened the email (knew it was spam)

Tx, Ronny

Colin Tovey said...

We received the email and called the company to ascertain what customer data has been obtained. I was forwarded to a Technical member of staff who was confused as to the difference between an ISP & a mail server. He was generally difficult and argumentative, intrusive by asking us who our ISP was and what we do about virus'. After 10 min of going around the reakin I gave up. Our data governance manager will be writing to the business to ascertain the potential implications.

Ronny said...

I finally was able to delete the mail, after running my antivirus software and closing down the computer completely. As to Hexis, i am wondering why they have my email address anyway, as i've never had anything to do with them. Doesn't instill confidence in the company or its IT department.

Conrad Longmore said...

Let me stress this - Hexis HAVE NOT BEEN HACKED. The emails are sent from a criminally-controlled botnet who (for unknown reasons) decided to fake these emails to make it look like they came from Hexis. Typically they seem to do this to one or two companies a day.

It is trivially easy to fake who an email appears to be "from", and that is what is happening here.

If you do happen to be a customer of Hexis and you have receive the spam then it is a coincidence, nothing more.

Kosheg Cheshirskiy said...

There are no PANIC, included VB script is well known :) and was recognized by AVG (and other 3 AV Engines) for now about 30 AV Vendors perform update to their signatures.
I perform initial trace back to source ...Yes , indeed its botnet and originated by Russians :) Cyrillic is a default code page in document ...
Any ideas who is originator?