Today I investigated two excel spreadsheets with macros that have been making the rounds.
Subject: “Remittance Advice from Anglia Engineering Solutions Ltd [ID 83162S]”
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Anglia Engineering Solutions Ltd
Tel: 01469 194372
Subject: “Remittance Advice for 374.86 GBP” Virus spam.
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Senior Accounts Payable Specialist
K J Watking & Co
Tel: 01469 224722
Here are VirusTotal reports on the two excel files.
SHA256: cac2fd1956da940bb9ea90ddaa548d82c8935ad5ffd555555bdce259dad3e282 (Downloaded the payload from http://126.96.36.199:8080/stat/lld.php)
SHA256: 5df525cbd9ab794673e6ce705f3706077704837e115d67788e673b18a303b578 (Downloaded the payload from http://188.8.131.52:8080/stat/lld.php)
It then contacted http://184.108.40.206/ (rdns of “ns.dn.cv.ua”)
inetnum: 220.127.116.11 – 18.104.22.168
descr: PE “Filipets Igor Victorovych”
The malware now seems to either detect my virtual environment or something is stopping it making the futher requests that I’m used to in the previous reports.