From: firstname.lastname@example.org [mailto:email@example.com]
Sent: Tuesday, November 10, 2015 11:21 AM
Subject: Itinerary #C003NS39
Please see document attached
Attached is a file Hotel-Fax-V0045G2B_8308427510989318361.xls which contains this malicious macro [pastebin] which (according to this Hybrid Analysis report) downloads a component from:
So far I have only seen one sample of this, there are likely to be others with different download locations but the same binary. This executable file has a detection rate of 2/55 and that VirusTotal report and this Malwr report indicate traffic to the following IP:
220.127.116.11 (Agava Ltd, Russia)
I strongly recommend blocking traffic to that IP address. The payload is the Dridex banking trojan.