Date: 2 December 2015 at 11:36
Subject: Your Adler Invoice No. UK 314433178 IN
Thank you very much for having placed your order with Adler.
Your goods have been shipped. Please see attached invoice for payment of
For your convenience, you will find several payment methods described on the
attached invoice (please be sure to include your Adler Order #).
If you have any questions, feel free to contact us.
Your Adler Customer Service Team
Adler Manufacturing Limited
Eastgate House, 35-43 Newport Road
Cardiff CF24 0AB
Tel.: 0800 0087 555
Fax 0800 0087 666
Supposedly attached is a document MD220EML.XLS but instead all the samples I see just have a Base 64 encoded section instead. Shame. If you go to the effort of decoding them, they are two moderately detected malicious documents (VirusTotal results  ) which according to these Malwr reports   downloads a binary from:
These download locations were seen earlier, but the payload has changed to one with a detection rate of 4/55. Those earlier Malwr reports indicate malicious traffic to:
184.108.40.206 (PJSC DATAGROUP, Ukraine)
I strongly recommend that you block traffic to that IP. The payload is likely to be the Dridex banking trojan.