From: firstname.lastname@example.org [email@example.com]
Date: 21 September 2015 at 11:30
Subject: Your Sage subscription invoice is ready
Dear Ralph Spivey
Account number: 45877254
Your Sage subscription invoice is now online and ready to view.
Sage One subscriptions
Please follow the link bellow to view/download your account invoice: http://www.sageone.co.uk/
Got a question about your invoice?
Call us on 1890 88 5045
If you're an Accountant, please call 1890 92 21 06
If you're a Business Partner, please call 1890 94 53 85
The Sage UK Subscription Team
Please note: There is no unsubscribe option on this email, as it is a service message, not a marketing communication. This email was sent from an address that cannot accept replies. Please use the contact details above if you need to get in touch with us.
The link in the email actually goes to a download location at Cubby rather than sageone.co.uk, this downloads a file invoice.zip which in turn contains a malicious executable invoice.scr which has a VirusTotal detection rate of 1/56. The Hybrid Analysis report shows that this is Upatre dropping the Dyre banking trojan, and one key indication of infection is traffic to the IP 18.104.22.168 in Nigeria.