From: Holly Humphreys [Holly.Humphreys@datanet.co.uk]I have seen only one sample of this spam with an attachment with a somewhat interesting name of C:\\Users\\HOLLY~1.HUM\\AppData\\Local\\Temp\\Inv_107666_from_DATANET.CO..xls which saves on my computer as C__Users_HOLLY~1.HUM_AppData_Local_Temp_Inv_107666_from_DATANET.CO..xls. This contains this malicious macro [pastebin] and has a VirusTotal detection rate of 3/55.
Date: 3 December 2015 at 08:57
Subject: Invoice from DATANET the Private Cloud Solutions Company
Dear Accounts Dept :
Your invoice is attached, thank you for your business.
If you have any queries please do not hesitate to contact us.
01252 810010 Accounts Support from 9am to 5.30pm Monday to Friday
01252 813396 Technical Support from 8am to 8pm Monday to Friday
Please reply to Accounts@datanet.co.uk
Datanet - Hosting & Connectivity
01252 813396 - Normal Support: 8am-8pm Mon-Fri, Critical Break Fix Support: 24x7
DATANET.CO.UK Limited, Cloud Hosting & Connectivity Service Provider. Datanet is an ISO 9001 & ISO 27001 certified
business with the mantra of "CIA" - "Confidentiality, Integrity and Availability" at the heart of our private cloud solutions.
Information contained in this communication is confidential or restricted and is solely for the use of the intended recipient and others authorised to receive it.
If you are not the intended recipient you are hereby notified that any disclosure, distribution or action taken based on this email is prohibited and may be unlawful.
Registered Office: DATANET.CO.UK Limited, Aspen House, Barley Way, Ancells Business Park, Fleet, Hampshire, GU51 2UT Registered in England - No. 03214053
According to this Malwr report and this Hybrid Analysis the XLS file downloads a malicious binary from :
There will probably be other versions of this document downloading from other locations too. This has a VirusTotal detection rate of just 1/55 and that report plus this Malwr report indicate malicious network traffic to:
220.127.116.11 (VPS Cheap, US / Sulaiman Alfaifi, Saudi Arabia)
18.104.22.168 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
22.214.171.124 (Hetzner, Germany)
The payload is almost definitely the Dridex banking trojan.
I have seen another version of the document with an MD5 of c7fa6a1f345aec2f1db349a80257f459 and a VirusTotal result of 3/54. According to this Malwr report it downloads from: