From Anny Beckley [Anny@hammondsofknutsford.co.uk]In the two samples that I have seen, the attached file was named Q_46Q0VWHU4.DOC with a VirusTotal detection rate of 7/56. This document contains a malicious macro [pastebin] which downloads a further component from the following location:
Date Tue, 06 Oct 2015 12:29:23 +0430
Subject Copy of Invoice(s)
Please find attached a copy of Invoice Number(s) 82105
This currently has a detection rate of just 1/56 and it appears to be saved as %TEMP%\rrdDhhm.exe. Note that there are usually several different document versions spammed out with different download locations, but the payload is the same in every case.
Automated analysis is pending, but the payload is almost definitely the Dridex banking trojan.
The Hybrid Analysis report for the document is here and the analysis of the dropped executable is here showing the malware phoning home to 188.8.131.52 (ELB Multimedia, France)