From: firstname.lastname@example.orgAttached is a file 611866.xls which appears to come in at least three different versions. But due to an error in the way the spam has been created, the attachment is actually corrupt and (depending on your version of Excel) attempting to open it gives this error:
Date: 19 March 2015 at 09:13
Subject: Your Sales Order
Your order acknowledgment is attached.
Please check carefully and advise us of any issues.
The file you are trying to open, '611866.xls', is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now?Clicking OK loads up what looks like gobbledegook.
If you see this, then you have had a lucky escape because the attachment is in the wrong format and is Base 64 encoded. If you manually run a Base 64 decoder against it then you end up with a malicious XLS file, in one of three different flavours with low detection rates    which in turn each contain a slightly different malicious macro    which then attempt to download from the following locations:
This is saved in the %TEMP% folder under the filenames pirit86.exe, tikapom64.exe and Trekaldo51.exe (although the binary is the same in each case). This malicious binary has a detection rate of just 2/57 and according to the Malwr report, it phone home to the following IPs:
188.8.131.52 (Pirix, Russia)
184.108.40.206 (OMC Computers & Communications, Israel)
220.127.116.11 (Gamma Telecom, UK)
18.104.22.168 (University of Cambridge, UK)
22.214.171.124 (Deniz Toprak, Turkey / B2 Net Solutions, US)
126.96.36.199 (DAEMINCUSTOM, Korea)
188.8.131.52 (Aqua Networks Ltd, Germany)
It also drops another version of the downloader, edg1.exe which has a detection rate of 1/56 and a DLL with a detection rate of also of 1/57. The payload is the Dridex banking trojan.