From "Steve McDonnell" [email@example.com]I have only seen a single sample of this with an attachment named Invoices001396,1406-11.2015.xls which has a VirusTotal detection rate of 3/54 and which contains this malicious macro [pastebin] which (according to this Hybrid Analysis report) in this case downloads a binary (very slowly!) from:
Date Mon, 09 Nov 2015 18:24:23 +0530
Subject OUTSTANDING INVOICES
Please find attached invoices 1396 & 1406 which are now outstanding.
I should be grateful if you would let me know when they are going to be paid.
Unit 11, Poplars Industrial Estate
Wetherby Road, Boroughbridge
North Yorkshire, YO51 9HS
Tel: +44 (0) 1423 325073
We are members of...
MIB Vertical logo stacked - Bottom - North East
The VirusTotal detection rate for this binary is 3/55. That report indicates network traffic to:
18.104.22.168 (Agava Ltd, Russia)
Other analyses are pending, however I strongly recommend that you block traffic to that IP. The paylaod is likely to be the Dridex banking trojan.
This Malwr report also shows traffic to the same IP address.