From: Hayley Sweeney [firstname.lastname@example.org]So far I have only seen one sample with an attachment Invoice_68362.doc which contains this malicious macro [pastebin] which downloads a malicious executable from:
Date: 10 June 2015 at 11:20
Subject: Your monthly BTT telephone bill
Please find attached your telephone bill for last month.
This message was sent automatically.
For any queries relating to this bill, please contact Customer Services on 01536 211100.
This is saved as %TEMP%\birsafpc.exe and it has a VirusTotal detection rate of 6/57. Automated analysis tools show traffic to the following IPs:
188.8.131.52 (Linode, US)
184.108.40.206 (OVH, France)
220.127.116.11 (Global Telecommunications Ltd, Russia)
This Malwr report also indicates that it drops a Dridex DLL with a detection rate of 7/57.