From: CardsOnLine [CardsOnLine@natwesti.com]Users who click the link see a download page similar to this:
Date: 26 January 2015 at 13:06
Subject: Cards OnLine E-Statement E-Mail Notification
Your July 30, 2014 E-Statement for account number xxxxxxxxxxxx6956 from Cards OnLine is now available.
For more information please check link: http://afreshperspective.com/NATWEST_BANK-MESSAGES-STORAGE/new.secured_document.html
Many internet users have recently been targeted through bogus E-Mails by fraudsters claiming to be from their bank. These E-Mails ask customers to provide their internet banking security details in order to reactivate their account or verify an E-Mail address.
Please be on your guard against E-Mails that request any of your security details. If you receive an e-mail like this you must not respond.
Please remember that, for security reasons, apart from when you create them at registration or when you change your Internet Pin or Password, we will only ever ask you to enter random characters from your Internet PIN and Password when you logon to this service.
You must keep your security details secret. We would never ask you, by E-Mail, to enter (or record) these details in full and you must not respond to E-Mails asking for this information.
National Westminster Bank Plc, Registered in England No 929027. Registered
Office: 135 Bishopsgate, London EC2M 3UR. Authorised and regulated by the Financial Services Authority.
This E-Mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet E-Mails are not necessarily secure. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent.
Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.
The link in the email downloads a randomly-named file in the format security_notice55838.zip which contains a malicious binary which will have a name similar to security_notice18074.exe.
This binary has a VirusTotal detection rate of 1/56 and is identified by Norman AV as Upatre. Automated analysis tools are not particularly enlightening  .