From [firstname.lastname@example.org]The attachments (in the format uk_conf_email_2012_dmh562810.xls) appear to be corrupt because of an error in the MIME attachment in the email, so they will either be zero length or appear to be garbage. I haven't seen any non-corrupt versions of the attachment at all. This is the second corrupt Dridex spam run today (this is the other one).
Date Fri, 15 Jan 2016 16:21:55 +0530
Subject Reservation Confirmation Number79501
We are pleased to confirm the attached booking at Drayton Manor Hotel.
Should you have any queries, please do not hesitate to contact us. We look
forward to welcoming you to Drayton Manor Hotel.
A source tells me that when repaired, the documents attempt to download a malicious binary from:
The payload is the same one as found here with a detection rate of 6/55. I would recommend blocking the IPs I mentioned in that post too.