From: David Lawale [David.Lawale@buildbase.co.uk]
Date: 8 December 2015 at 10:58
Subject: Updated Statement - 2323191
Hi,Please find attached copy updated statement as your account has 3 overdue incoices. Is there any reasons why they haven’t yet been paid?Kind RegardsDavidDavid Lawale | Credit Controller | BuildbaseHarvey Road, Basildon, Essex, SS13 1QJwww.buildbase.co.uk
Attached is a file 151124142451_0001.xls which I have seen come in two versions so far (VirusTotal results  ). Analysis of this malware is pending, but it most likely leads to the Dridex banking trojan.
Automated analysis is inconclusive      . It is possible that there is an error in the macro.
According to the comments in this post and also some other sources, the the macros download from:
This has a detection rate of 4/55. According to these reports    and other sources, the malware phones home to:
18.104.22.168 (High Speed Web/Genesis 2 Networks, US)
22.214.171.124 (AT&T, US)
126.96.36.199 (Ho Chi Minh City Post and Telecom Company, Vietnam)
188.8.131.52 (Hetzner, Germany)