From: Simon Harrington [firstname.lastname@example.org]Instead of having an attachment, it has a Base 64 encoded section like this:
Subject: Emailing: slide1
Date: Mon, 01 Jun 2015 19:42:14 +0700
As it is, this email is harmless because all the bad stuff needs decoding. Extracing that section and decoding it gives a file named slide1.doc which contains this malicious macro [pastebin].
This macro downloads a malicious component from:
Which has a VirusTotal detection rate of 7/56. This Malwr report shows it communicating with the same IPs we saw earlier:
18.104.22.168 (Selectel Network, Russia)
22.214.171.124 (Digital Ocean, US)
126.96.36.199 (Digital Ocean, Netherlands)
188.8.131.52 (Hetzner, Germany)
It also drops the same Dridex DLL we saw earlier, now with a detection rate of 9/56.
Incidentally, the email address is a genuine one belonging to a poor chap in Tunbridge Wells (who has nothing to do with this). I bet his mailbox is completely packed with bouncebacks and responses from confused people..