From "Transport for London" [email@example.com]
Date Wed, 4 Nov 2015 14:33:44 +0100
Subject Email from Transport for London
Please open the attached file to view correspondence from Transport for London.
If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost
from the Adobe Website www.adobe.com
Thank you for contacting Transport for London.
Customer Service Representative
This email has been scanned by the Symantec Email Security.cloud service.
This email and any attachment are intended solely for the addressee, are strictly
confidential and may be legally privileged. If you are not the intended recipient
any reading, dissemination, copying or any other use or reliance is prohibited. If
you have received this email in error please notify the sender immediately by email
and then permanently delete the email.
Attached is a file 6305093.zip of which I have seen just one sample, containing a malicious executable 6305093.scr (MD5 6a4cce90ba28720fa9e6813f681b1f75) which has a VirusTotal detection rate of 7/54. This Hybrid Analysis report shows it communicating with the well-known malicious IP address of 184.108.40.206 (Cobranet, Nigeria) which I recommend you block.
The payload here seems to be Upatre dropping the Dyre banking trojan.