From accounts [firstname.lastname@example.org]Attached is a file SI823610.XLS which I have seen only one version of in several samples of the email. Usually there are different variants. In this case, the spreadsheet contains this malicious macro [pastebin] and has a VirusTotal score of 4/54. According to this Hybrid Analysis report it then downloads a malicious binary from:
Date Wed, 11 Nov 2015 14:54:33 +0400
Subject Invoice SI823610 from OfficeFurnitureOnline.co.uk Order Ref 4016584
Please find attached a sales invoice from OfficeFurnitureOnline.co.uk.
This email address is only for account enquiries, please check your confirmation
for any information regarding the order details or delivery lead times.
Thank you for your order.
In turn, this binary has a detection rate of zero. Those two reports plus this Malwr report show between them malicious traffic to the following IPs:
126.96.36.199 (Iomart / Rapidswitch, UK)
188.8.131.52 (Ministry Of Education, Thailand)
184.108.40.206 (Elvsoft SRL / Coreix , Romania / UK)
The payload is the Dridex banking trojan.