Date: 23 June 2015 at 14:14Some of the details vary in each email, but the overall format is the same. So far I have seen two different mis-named attachments:
Subject: Hope this e-mail finds You well
Hope this e-mail finds You well.
Please be informed that we received the documents regarding the agreement No. 7232-003 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 838-72-99. Feel free to give a call at any time.
The file sizes actually match the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters.
Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52 or 3/54. Automated analysis tools    indicate traffic to the following locations:
184.108.40.206 (Orion Telekom, Serbia)
220.127.116.11 (Suddenlink Communications, US)
18.104.22.168 (Orion Telekom, Serbia)
22.214.171.124 (Charter Communications, US)
These two Malwr reports   show dropped files named yaxkodila.exe (two versions, VT 5/54 and 5/55) plus a file jieduk.exe (VT 8/54). Incidentally, the VirusTotal analysis also throws up another IP address of:
126.96.36.199 (Time Warner Cable, US)
The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.