From AccountsPayable@Norfolk.gov.ukAttached is a file 6134443_101115_141851.xls which apparently comes in two or three versions, although I have only seen one with a VirusTotal detection rate of 3/54 and containing this malicious macro.
Date Thu, 12 Nov 2015 14:09:46 +0430
Subject Remittance Advice
Please find attached your remittance advice.
To see our email disclaimer click here http://www.norfolk.gov.uk/emaildisclaimer
These documents then download a malicious binary from:
This binary has a VirusTotal detection rate of 3/54, and that report plus this Hybrid Analysis report show malicious traffic to:
184.108.40.206 (Iomart Hosting / Rapidswitch, UK)
220.127.116.11 (Ministry of Education, Thailand)
The payload is the Dridex banking trojan.