Friday, 19 December 2014

Excel malware: BACS payment Ref

More macro malware... this time from "BACS"

Date: Fri, 19 Dec 2014 11:55:31 +0200
From: "Buck Bean" (Names and Addresses are random)
Subject: BACS payment Ref:026919ZL (Ref is random)
 

Please see below our payment confirmation for funds into your account on =
Tuesday re invoice 026919ZL

Attached is an excel file: 026919ZL.xls (filename is random)

Four variants  so far...

MD5 hash: 3b21e1fb5d4fb2d67bcfc716a57ad41c [0/56]
MD5 hash: 827803f959140b728d66adb4b209b619 [0/56]
MD5 hash: ba4ab13558df82e4b6c347828a130a06 [0/56]
MD5 hash: 0eed6374118743dcaf207df327d5fa07 [0/56]

Detection added:

Sanesecurity.Malware.24675.XlsHeur
Sanesecurity.Rogue.0hr.20141219-1104

The decoded macro is here: pastebin

Just a reminder about opening the document with other devices and Online VirusScanners:

Cheers,

Steve
Sanesecurity.com

No comments: