Today I investigated two excel spreadsheets with macros that have been making the rounds.
Subject: “Remittance Advice from Anglia Engineering Solutions Ltd [ID 83162S]”
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Anglia Engineering Solutions Ltd
Tel: 01469 194372
Subject: “Remittance Advice for 374.86 GBP” Virus spam.
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Senior Accounts Payable Specialist
K J Watking & Co
Tel: 01469 224722
Here are VirusTotal reports on the two excel files.
SHA256: cac2fd1956da940bb9ea90ddaa548d82c8935ad5ffd555555bdce259dad3e282 (Downloaded the payload from http://220.127.116.11:8080/stat/lld.php)
SHA256: 5df525cbd9ab794673e6ce705f3706077704837e115d67788e673b18a303b578 (Downloaded the payload from http://18.104.22.168:8080/stat/lld.php)
It then contacted http://22.214.171.124/ (rdns of “ns.dn.cv.ua”)
inetnum: 126.96.36.199 – 188.8.131.52
descr: PE “Filipets Igor Victorovych”
The malware now seems to either detect my virtual environment or something is stopping it making the futher requests that I’m used to in the previous reports.