From "Chelsee Gee" <firstname.lastname@example.org>Note that the email in my sample is slightly mangled and might not be the same as yours. I received several copies of this, and the normal method is that there are several different email attachments, however I will look at just one. Named Order-SO00653333-1.doc this file has a detection rate of 6/56, and it contains this malicious macro [pastebin].
Date Thu, 01 Oct 2015 18:51:16 +0700
Subject Please print
UC Blinds Limited
1150 Stratford Road
Tel: 0121 777 3092
Fax: 0121 777 3143
Website: <http://www.ucblinds.co.uk/> www.ucblinds.co.uk
All types of Commercial and Domestic Window Blinds â–ª Made to Measure Curtains â–ª
Awnings and Canopies â–ª Grilles and Shutters â–ª Internal Plantation Shutters â–ª
Window Film â–ª Cleaning and Repairs.
Company No: 7215441
Registered Address: Nairn House, 1174 Stratford Road, Hall Green, Birmingham, B28
This email is confidential. If you are not the intended recipient then you must
not copy it, forward it, use it for any purpose, or disclose it to another person.
Instead please return it to the sender immediately. Please then return and delete
your copy from your system. Thank you.
The Hybrid Analysis report for this particular document shows the malware downloading from:
Other locations are:
This binary has a VirusTotal detection rate of 2/56 and the Hybrid Analysis report for that is here.
The payload is the Dridex banking trojan, and in fact this is the first Dridex I have seen in over a month after some of the alleged perpatrators were arrested.