Date: 17 December 2014 at 08:42
Subject: PL REMITTANCE DETAILS ref844127RH
The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.
The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen   containing two slightly different macros   which then reach out to the following download locations:
The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55. The ThreatTrack report [pdf] shows it POSTing to the following IP:
220.127.116.11 (PE "Filipets Igor Victorovych", Ukraine)
This IP has been used in several recent attacks and I strongly recommend blocking it.
The Malwr report also shows it dropping a malicious DLL identified as Dridex.
The ThreatExpert report gives some different IPs being contacted:
18.104.22.168 (Denes Balazs / HostEurope, Germany)
22.214.171.124 (PlusServer, Germany)
The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist: