From: email@example.com [firstname.lastname@example.org]Attached is a file XACWL-15DEC12-120106.DOC which I have only seen one variant of so far, with a VirusTotal detection rate of 6/54. According to the Malwr analysis, it downloads a file from:
Date: 10 December 2015 at 11:35
Subject: STMT ACWL-15DEC12-120106
The following are attached to this email:
There will probably be other versions of the document with different download locations. This executable has a detection rate of 2/54 and according to this Malwr report it contacts:
220.127.116.11 (University Of Puerto Rico, Puerto Rico)
Other analysis is pending, in the meantime I recommend that you block traffic to that IP. The payload is probably the Dridex banking trojan.