Wednesday, 7 January 2015

Eliza Fernandes NUCSOFT-Payroll December document malware

Eliza Fernandes NUCSOFT-Payroll December document, is being spammed out containing a macro
embedded in a word document

The Word document has a random attachment, however these emails aren't from NUCSOFT
at all, they just being used to make the email look more genuine, ie. from a real company.

Message Header:
From: "Eliza Fernandes" {}
Date: Wed, 07 Jan 2015 13:56:00 +0530
Subject: NUCSOFT-Payroll December 2014

Message Body:
Please find the data for payroll processing.

Please forward the PDF of summary.

Eliza Fernandes

Finance Dept.
This message contains privileged and confidential information and is 
intended only for an individual named. If you are not the intended 
recipient, you should not disseminate, distribute, store, print, 
copy or deliver this message. Please notify the sender immediately 
by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system. E-mail transmission cannot be 
guaranteed to be secure or error-free as information could be 
NUCSOFT : With You - Until Success  and Beyond....
Visit us at

Payroll Dec'14.doc

Md5 Hashes:

Malware Macro document information:

VirusTotal Report [1]
(hits 2/56 Virus Scanners)

Malwr Report [1]

Decoded Macro [1]
Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24646.DocHeur


The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))



Anonymous said...

Thank you, I have just got one :(

Anonymous said...

Very helpful . Just got one too

Roger Vaughan said...

Getting some ourselfves. Thaks for this.

Anonymous said...

Thanks for the info - I just got one as well. It seemed phishy.

Sir Gonville Ffrench said...

We received one this morning at 0832 GMT. Thanks.

Anonymous said...


I just checked my email & have received. Never open up anything from anyone I don't know, then always google it & find the consequences if I had!

Thanks again

Anonymous said...

Thank you

Just checked my email & had it, now deleted

Anonymous said...

I have just received one too, are we able to forward it to someone to check it out?