From Andrew Williams [firstname.lastname@example.org]E-Service have been exceptionally quick about posting an update on their Twitter page. However, they have not been hacked at all as it is trivially easy to forge an email message. The attachment is a malicious Excel spreadsheet which leads to the Dridex banking trojan.
Date Mon, 11 Jan 2016 17:07:38 +0700
Subject E-Service (Europe) Ltd Invoice No: 10013405
Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
to make payment for all transactions on or before their due date.
Please contact E-Service (Europe) if you have any issues or queries preventing your
prompt payment on:
Tel (44) 01707 280000
Or logon and register to access your customer portal where you can view all historic
orders & transactions on www.e-service.co.uk
PLEASE NOTE NEW E-SERVICE (EUROPE) BANK DETAILS:
Currency A/C No. Sort Code Swift Code IBAN No.
GBP 21698613 40-04-37 MIDLGB22 GB48MIDL40043721698613
EUR 71685997 40-05-15 MIDLGB22 GB75MIDL40051571685997
E-Service (Europe) Accounts Team
So far, I have seen five different versions of the attachment, all named Invoice 10013405.XLS and with detection rates of about 8/55     . Analysis of the attachments is pending, please check back later.
The Malwr reports for the attachment      show that the macro in the spreadsheet downloads a file from the following locations:
This dropped file has a detection rate of 1/55. It is the same binary as found in this earlier spam run which phones home to:
126.96.36.199 (Aliyun Computing Co, China)
This is an IP that I strongly recommend blocking.
Dropped file MD5: