From: Maria Wilson [email@example.com]The impact on this innocent company appears to be severe, with their website currently suspended.
Date: 19 February 2015 at 09:10
Please see attached up to date statement.
I would be grateful if you could confirm all due invoices have been processed for payment.
Maria Wilson | Credit Controller
T: 0141 285 3838
Think Sustainability - Do not print this email unless essential
This email and any attachments are confidential and intended for the addressee only.
If you are not the named recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication.
If you have received this in error, please contact the sender and then delete this email from your system.
I have only seen only sample of the attachment Statement 18 FEB 2015.xls although there are probably other variants. This contains a set of macros [password=infected] which are mostly crap, but the key parts are Modules 13 (the encrypted strings) and 27 (the decrypt function). These macros download a file from the following location:
This is saved as %TEMP%\FfdgF.exe which has a VirusTotal detection rate of 5/57. Various automated analysis tools    show attempted network connections to:
184.108.40.206 (Hosteurope, Germany)
220.127.116.11 (Microtech Tel, US)
18.104.22.168 (World Internetwork Corporation, Thailand)
22.214.171.124 (Tata Indicom, India)
126.96.36.199 (Webazilla, US)
188.8.131.52 (Chunghwa Telecom, Taiwan)
184.108.40.206 (ITL Company, Bulgaria)
The Malwr report shows it dropper another version of the downloader (VT 3/57) and a malicious DLL (VT 6/57). Payload is probably Dridex.