From: NatWest [email@example.com]1/54. The CAMAS report shows that the malware calls out to the following URLs;
Date: 24 July 2014 10:39
Subject: You have a new Secure Message
You have received a secure message from NatWest Bank
To read your secure message please click here. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.
First time users - will need to register after opening the attachment.
Help - https://securemail.natwest.com/websafe/ml/help?topic=RegEnvelope
The characteristics of this malware are very similar to this one seen yesterday, and you can be assured that there are other goo.gl URLs and download locations in addition to the one listed here.
Because you can see the stats for any goo.gl URL just by adding a "+" on the end, it is possible to see who is clicking through. Oddly, there is not a single clickthrough from the UK where the NatWest bank is actually based.
goo.gl/spam-report if you want to try it (I would recommend giving it a go).