Date: 17 December 2015 at 08:54
Subject: Email from Transport for London
Please open the attached file to view correspondence from Transport for
If the attachment is in PDF format you may need Adobe Acrobat Reader to
read or download this attachment.
If you require Adobe Acrobat Reader this is available at no cost from
the Adobe Website http://www.adobe.com
Thank you for contacting Transport for London.
Customer Service Representative
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
This email and any attachment are intended solely for the addressee, are s=
trictly confidential and may be legally privileged. If you are not the int=
ended recipient any reading, dissemination, copying or any other use or re=
liance is prohibited. If you have received this email in error please noti=
fy the sender immediately by email and then permanently delete the email.
The attachment is not properly formatted and appears as a Base 64 section of the email. What it should be is a malicious document named FR7000609906.doc which has a VirusTotal detection rate of 4/54.
The Malwr analysis of the document indicates that it downloads from:
This has a detection rate of 3/54 and an MD5 of d5e717617400b3c479228fa756277be1. The Malwr report and Hybrid Analysis indicate network traffic to:
18.104.22.168 (OVH, France)
22.214.171.124 (Marian International Institute Of Management, India)
The payload is likely to be the Dridex banking trojan.