Thursday, 26 November 2015

Your car rental invoice from Avis, No. E947168460


Your car rental invoice from Avis, No. E947168460 macro malware.


From: {}
Subject: Your car rental invoice from Avis, No. E947168460

Message Body:


Your Avis invoice(s)

Dear Customer

Please find attached your Avis invoice(s)

If you cannot see the attachment(s), please click here.
If you would like to speak to a member of our customer service team about your experience, please call us on 0844 544 6666 or email us at
Would Minicom users 18002 please contact us on 0844 544 5534 where we will be happy to deal with any query?
To make another reservation, please visit our website at
We look forward to seeing you again soon,
Avis Rent A Car Ltd

Attachment filename(s):


Sha256 Hashes:

1ecc514d0bf2b4f340d3c45b832e72d0be1cc5a86182e193221740041bb15052 [1]
914ee1830e7ab60764623e78a03a27af0c362ee236a866a901b0547d60f8a5c1 [2]

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 2/55)
VirusTotal Report: [2] (detection 2/55)

Sanesecurity Signature detection:

badmacro.ndb: Sanesecurity.Badmacro.XlsM.003

Important notes:

Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the
attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)

It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Anonymous said...

Thank you for the warning! I just got this email today and did a google search - thankfully your post was top of the list.

Unknown said...


So if you run the macro what steps do you need to take to remove anything that it downloaded?
I ran a full system scan and the virus checker found nothing.

Best regards,


Anonymous said...

Me too

Anonymous said...

I got the email and opened it on my Blackberry curve and now I cant log into my Coperative mobile banking what should I do

Anonymous said...

I opened the email on my Blackberry. Now I cant access my Co-op mobile banking .Help

Anonymous said...

As above - and I had used AVIS recently..

Anonymous said...

I almost fell for this. Was sensible to not follow the link - there was no attachment on my version. Actually did call Avis though - useless. Also contacted my bank to check I hadn't had ID fraud. I had ID fraud in the past and only found out because I got an email thanking me for purchasing a computer. The tricky thing about this scam is all the other details ARE actually Avis phone numbers etc so they are hoping you'll open the attachment or follow the link to find out what's going on - DON'T! I'm glad I didn't.