From: firstname.lastname@example.org [email@example.com]
Date: 2 April 2015 at 11:46
Subject: Outstanding invoice
Please find the attached copy invoice which is showing as unpaid on our ledger.
To download your invoice please click here
I would be grateful if you could look into this matter and advise on an expected payment date .
Tel: 0845 300 2952
The link in the email leads to a download location at hightail.com (the sample I saw downloaded from https://www.hightail.com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQlFJWjA4bnVnVE9yZWt5UmdteDRsUjJuWENHRzVZbz0) which is a file called Doc_0062119-LQ.zip which in turn contains the malicious executable Doc_0062119-LQ.scr.
The executable has a VirusTotal detection rate of 3/57 and has characteristics that identify it as Upatre. Automated analysis tools      show that it downloads additional components from:
It also POSTs data to 188.8.131.52 (Makiyivka Online Technologies Ltd, Ukraine) in a characteristic Upatre manner:
According to the Malwr report, the downloader drops a file gkkjxyz22.exe which has a detection rate of 2/57. This is probably the Dyre banking trojan.