From email@example.comIn the sample I saw, the attached file was 216116.xls which has a VirusTotal detection rate of 6/56 and contains this malicious macro [pastebin] which then downloads a compenent from the following location:
Date Mon, 05 Oct 2015 15:47:11 +0700
Subject Your Invoices - Incident Support Group Ltd
Please find attached your invoices from Incident Support Group Ltd. If you wish to
change the email address we have used please email firstname.lastname@example.org with the
Note that at the time of writing, I only have one sample of this. There are usually several versions of the attachment in these spam runs, with different download locations. The malicious binary has a detection rate of 4/56.
The VirusTotal report and this Hybrid Analysis report indicate traffic to:
220.127.116.11 (ELB Multimedia, France)
Blocking or monitoring traffic to and from the port would probably be prudent. The payload is most likely the Dridex banking trojan.
Other download locations spotted so far: