From: Jean Pierre Kibungu [jpie.kibungu@victimdomain]The telephone number does match that of a genuine company in Jersey, but they are not sending this spam. The attachment is named 0150363108788101_02416060_1.xls and so far I have seen just one version of this with a VirusTotal detection rate of 4/53. It contains this malicious macro [pastebin].
Date: 20 November 2015 at 09:56
Please find attached the swift of the transfer of $30000.
Jean Pierre Kibungu
JEAN PIERRE KIBUNGU AVAR-DA-VISI
INCAT OILFIELD LOGISTICS (DRC) LTD
Mob: + 243 998 01 95 01
Tel. +44(0) 1534 758859
Fax: +44(0) 1534 758834
Analysis of the spreadsheet is pending, but the payload is almost definitely the Dridex banking trojan.
Sources tell me there are at least two variants with download locations of:
This has an MD5 of d410a45dc4710ea0d383dee81fbbcb6f and a VirusTotal detection rate of 4/52. According to that VirusTotal report and this Malwr report, it makes a network connection to:
126.96.36.199 (Trinity College, US)
I strongly recommend that you block traffic to that IP.