Date: 7 October 2015 at 10:08
Subject: Scanned document from MX-2600N
Reply to: firstname.lastname@example.org
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set
File Format: XLS MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned document in XLS format.
Use Microsoft(R)Excel(R) to view the document.Attached is a file in the format email@example.com_20151007_160214.xls (where victimdomain.tld is the victim's own domain), which has a VirusTotal detection rate of 3/56. This Excel file contains a malicious macro [pastebin] which in THIS case downloads a binary from the following location:
There will be other versions of the XLS file which will download components from other locations, however the payload will be the same, and it currently has a detection rate of 2/56. The VirusTotal report indicates traffic to:
220.127.116.11 (ELB Multimedia, France)
Blocking traffic to and from that IP is recommended.
Automated analysis is pending, please check back later. The payload is probably the Dridex banking trojan.
Here are the Hybrid Analysis reports for the XLS file and executable.