From: NatWest.co.uk [email@example.com]
Date: 23 May 2014 11:36
Subject: NatWest Statement
View Your May 2014 Online Financial Activity Statement
Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:
View/Download as a PDF
View all EStatements
So check out your statement right away, or at your earliest convenience.
Thank you for managing your account online.
Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank account, please speak to a Customer Service representative at +44 121 635 1592
NatWest Bank Customer Service Department
P.O. Box 414 | 38 Strand, WC2N 5JB, London
Copyright 2014 NatWest Company. All rights reserved.
The link in the email goes to [donotclick]dl.dropboxusercontent.com/s/h8ee7pet8g3myfh/NatWest_Financial_Statement.zip?dl=1&token_hash=AAGNPq4-blG8MXToyYPu1l8lXEyrOQNz6EjK7rUBRaSHGg&expiry=1400838977 which downloads an archive file NatWest_Financial_Statement.zip which in turn contains the malicious executable NatWest_Financial_Statement.scr. This has a VirusTotal detection rate of just 3/52.
Automated analysis tools   show that it downloads a component from [donotclick]accessdi.com/wp-content/uploads/2014/04/2305UKmw.zip
The Malwr analysis shows that it then downloads some additional EXE files:
- ibep.exe (VT 2/52, Malwr report)
- kuten.exe (VT 3/52, Malwr report)
- sohal.exe (VT 2/52. Malwr report)