“Remittance Advice from Anglia Engineering Solutions Ltd [ID 83162S]” and “Remittance Advice for 374.86 GBP” Virus spam.

Today I investigated two excel spreadsheets with macros that have been making the rounds.

Subject: “Remittance Advice from Anglia Engineering Solutions Ltd [ID 83162S]”

Dear ,

We are making a payment to you.

Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.

If you have any questions regarding the remittance please contact us using the details below.

Kind regards
Lula Alston
Anglia Engineering Solutions Ltd
Tel: 01469 194372

Subject: “Remittance Advice for 374.86 GBP” Virus spam.

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Lisa Valentine
Senior Accounts Payable Specialist
K J Watking & Co
Tel: 01469 224722

Here are VirusTotal reports on the two excel files.
SHA256: cac2fd1956da940bb9ea90ddaa548d82c8935ad5ffd555555bdce259dad3e282 (Downloaded the payload from
SHA256: 5df525cbd9ab794673e6ce705f3706077704837e115d67788e673b18a303b578 (Downloaded the payload from

In both instances the file downloaded by the macro was the same .exe:
SHA256: c92200fd311abe6f1e8422781f3eefec7ef2791ab0f43e4552bd27488091da94
VirusTotal Report / Malwr Report

It then contacted (rdns of “ns.dn.cv.ua”)

inetnum: –
netname: FLPTS-NET
descr: PE “Filipets Igor Victorovych”
country: UA

The malware now seems to either detect my virtual environment or something is stopping it making the futher requests that I’m used to in the previous reports.

This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to “Remittance Advice from Anglia Engineering Solutions Ltd [ID 83162S]” and “Remittance Advice for 374.86 GBP” Virus spam.

  1. jay says:

    after it has been opened how do i remove it

  2. I would unplug your computer from the internet asap and back up any important data.
    Then use HitMan Pro (surfright.nl) to scan and clean the computer but also seek professional advice or – reinstall the computer to be sure nothing remains.

    I would also, from a different computer, change the password for any website or email account that your computer “save this password for me”‘d… the infection looks likely to have stolen stored passwords in browsers.

  3. Oh.. but if you saw a “Macros are disabled, click here to enable them” message and __didn’t__ click it… you are probably safe anyway! The Macro needed to run to infect.
    In any case a hitman pro scan is worth while.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s