From: Reservations [email@example.com]
Date: 15 December 2015 at 11:50
Subject: Invoice for Voucher ACH-2-197701-35
Payment Link For BookingACH-2-197701-35
Please find attached your invoice for reservation number ACH-2-197701-35
This email was sent on 14/12/2015 at 16:25
I have only seen a single sample, with an attachment ACH-2-197701-35-invoice.xls which has a VirusTotal detection rate of 3/54. According to this Malwr report, it downloads a malicious binary from:
The payload here is the Dridex banking trojan, and it is identical to the one found in this spam run.