From AccountsPayable@Norfolk.gov.ukAttached is a file 6134443_101115_141851.xls which apparently comes in two or three versions, although I have only seen one with a VirusTotal detection rate of 3/54 and containing this malicious macro.
Date Thu, 12 Nov 2015 14:09:46 +0430
Subject Remittance Advice
Please find attached your remittance advice.
To see our email disclaimer click here http://www.norfolk.gov.uk/emaildisclaimer
These documents then download a malicious binary from:
This binary has a VirusTotal detection rate of 3/54, and that report plus this Hybrid Analysis report show malicious traffic to:
18.104.22.168 (Iomart Hosting / Rapidswitch, UK)
22.214.171.124 (Ministry of Education, Thailand)
The payload is the Dridex banking trojan.