Date: 9 October 2015 at 09:54
Subject: Your latest DHL invoice : MSE7396821
THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY
Please find attached your invoice in DOC format, dated 09/09/2015 for shipments and services supplied by DHL Express.
If you would like to download your invoice in a different format, click here to go to the DHL e-Billing website. You can also view your account details and on line invoice history here.
In the event of a problem with opening the attachment, please contact the e-Billing support team on 020 8831 5363 for assistance.
If you would like to verify the digital signature on this invoice, click here to go to the DHL e-Billing website and go to the FAQ section for instructions.
For all invoice content related queries, please contact 08442 480 777.
We look forward to receiving your payment in due course, and within the agreed credit terms as stated on your invoice.
We would like to thank you for using the services of DHL Express.
With kind regards,
The DHL e-Billing team
PROTECT YOUR PASSWORD
In the only sample I have seen, the attached file is named MSE7396821.doc and has a VirusTotal detection rate of 5/55. This contains a malicious macro [pastebin] which downloads a file from the following location:
There will undoubtedly be different versions of the document with different download locations. This binary is saved as %TEMP%\vtsAbd.exe and has a VirusTotal detection rate of 2/54. That VirusTotal report, this Malwr report and this Hybrid Analysis report show network traffic to:
220.127.116.11 (Data Net SRL, Romania)
I recommend that you block traffic to and from that IP address. The payload appears to be the Dridex banking trojan.