From: Serena Dotson
Date: 10 December 2014 at 10:33
Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 334563N]
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Anglia Engineering Solutions Ltd
Tel: 01469 520572
The sender's name, ID number and attachment name vary from spam email to spam email. It comes with one of two Excel attachments, both of which are malicious but are undetected by any AV product   which contains one of two malicious macros   [pastebin] which attempts to download an executable from the following locations:
This file is downloaded as test.exe and is then copied to %TEMP%\LNUDTUFLKOJ.exe. This executable has a VirusTotal detection rate of just 1/55. The ThreatTrack report [pdf] shows attempted connections to the following IPs:
126.96.36.199 (PE "Filipets Igor Victorovych", Ukraine)
188.8.131.52 (PlusNet, UK)
184.108.40.206 (1&1, Germany)
Traffic to 220.127.116.11 is also confirmed by VirusTotal. The Malwr report shows the same traffic.
The payload is most likely Dridex, a banking trojan.
I recommend that you block traffic to the following IPs: