From: tim [email@example.com]
Date: 19 June 2015 at 16:40
Subject: New instructions
New instructions payment of US banks, ask to read
Attached is an archive file with the somewhat unusual name of instructions.zip size=19811 which contains a malicious executable named instructions_document.exe.
The VirusTotal analysis indicates that this is the Upatre download [detection rate 3/57]. Automated analysis tools     show traffic to:
which is an IP operated by Orion Telekom in Serbia, and also 22.214.171.124:443 which is Hamilton Telecommunications in the US. A characteristic of this generation of Upatre is that it sends traffic to icanhazip.com which while not malicious in itself is quite a good indicator of infection.
In all cases I have seen, Upatre drops the Dyre banking trojan, but I have been unable to obtain a sample.