From: Sales-BNThermic [Sales@bnthermic.co.uk]
Date: 7 April 2015 at 09:48
Subject: Order Confirmation Order BNTO056063 06/04/2015
Thank you for your order, please find attached confirmation.
In all cases, the attached file is called BNTO056063.DOC, but there are actually at least four different variants with one of four malicious macros     which then download a component from one of the following locations:
This file is then saved as %TEMP%\wabat1.1a.exe. This executable is the same one as used in this attack and the payload is the Dridex banking trojan.