From: Manchester Accounts [email@example.com]
Date: 6 July 2015 at 07:10
Subject: Statement as at 30/06/2015
Please find attached statement from HOBS REPROGRAPHICS PLC as at
Please note that our payment terms are 30 days.
So far I have only seen one sample, with an attachment named ELLE013006.doc [VT 4/54] which contains this malicious macro [pastebin] which downloads a malicious executable from:
Well, it would do, but in the sample I have there's a syntax error in the URL..
There are usually several versions of the document, probably some of the others work OK. The executable is saved as %TEMP%\blogdynamoocom.exe (see what they did there?) and has a VirusTotal detection rate of 1/50. Automated analysis tools    indicates that the malware phones home to:
18.104.22.168 (OVH, France)
22.214.171.124 (Isimtescil, Cyprus)
126.96.36.199 (OneGbits, Lithuania)
The payload to this is almost definitely the Dridex banking trojan.