From Lucie Newlove [email@example.com]
Date Thu, 26 Nov 2015 16:03:04 +0500
Subject Invoice Document SI528880
Please see attached Invoice Document SI528880 from HIDER FOOD IMPORTS LTD.
ARE YOU AWARE THAT OUR NEW WEBSITE IS NOW AVAILABLE?
Please contact our Sales Department for details.
Hider Food Imports Ltd
REGISTERED HEAD OFFICE
Registered in England Number : 842813
Main Tel: +44 (0)1482 561137
Sales Tel :+44 (0)1482 504333
Fax: +44 (0)1482 565668
DISCLAIMER: This e-mail and any attachments are private and confidential and are
intended solely for the use of the intended recipient(s). If you are not the intended
recipient, you must not use, disclose, distribute, copy, print, or rely on this e-mail.
If you have received this e-mail in error, please advise the sender by return e-mail
immediately and delete all copies of this message and any attachments from your systems.
All prices quoted are subject to final confirmation. This e-mail and any other arrangements
between us will be subject to our terms and conditions of business, a copy of which
can be found at our website or available upon request.
ANTIVIRUS: Hider Food Imports Ltd regularly update and utilise current anti-virus
products. Hider Food Imports Ltd however accept no liability for any damage which
may be caused by any virus transmitted by this e-mail or any attachments. Recipients
should check this e-mail is free of Viruses.
The attached file is SI528880.xls of which I have seen just one sample with a VirusTotal detection rate of 2/54, and it contains this malicious macro [pastebin] which according to this Hybrid Analysis report downloads a malicious component from:
This executable has a detection rate of just 1/54 and automated analysis      shows network traffic to the following IPs:
220.127.116.11 (Telekomunikasyon Anonim Sirketi, Turkey)
18.104.22.168 (Level 3, US)
22.214.171.124 (Memset, UK)
126.96.36.199 (Uzinfocom, Uzbekistan)
188.8.131.52 (Marosnet, Russia)
184.108.40.206 (FPT Telecom Company, Vietnam)
220.127.116.11 (Jyvaskylan Yliopisto, Finland)
18.104.22.168 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
22.214.171.124 (Centr, Kazahkstan)
The payload is probably the Dridex banking trojan.
I accidentally included 126.96.36.199 in a previous version of the blocklist. This IP is for Windows Update (I deleted it from the first list, not the second one!). If you have blocked this IP then I recommend that you unblock it.