From Ray White [email@example.com]
Date Thu, 15 Oct 2015 10:56:35 +0200
Subject [Scan] 2015-10-14 5:29:54 p.m.
In the only sample I saw, the attachment was named 2015-10-14 5-29-54 p.m..doc which has a VirusTotal detection rate of 4/56 and which contains this malicious macro [pastebin] . The Hybrid Analysis report shows this particular version (there will be others) downloading a binary from:
Despite the apparently random name, this is a real business website (SDH Stříbrná Lhota) that has been compromised. This binary has a detection rate of just 2/56 and is saved as %TEMP%\CrowSoft1.exe. The Hybrid Analysis report for this indicates connections to:
220.127.116.11 (Elvsoft SRL, Romania / Coreix, UK)
18.104.22.168 (Online SAS / Iliad Entreprises / Poney Telecom, France)
The payload appears to be the Dridex banking trojan, still going strong despite reports of arrests in the crime gang responsible.