From: June Abel via Dropbox [firstname.lastname@example.org]I have seen three different samples with different download location:
Date: 25 August 2015 at 12:59
Subject: June Abel shared "UPDATE_VACATIONS_SCHEDULE_09_2015.pdf" with you
In each case, the binary downloaded is identical and has a VirusTotal detection rate of 3/55. Analysis is pending, but the payload appears to be the Dyre banking trojan.
The Hybrid Analysis report shows traffic to 18.104.22.168 (Cobranet, Nigeria) which I recommend you block.