From: Gompels Healthcare ltd [firstname.lastname@example.org]The attachment is named fax00375039.doc and it comes in at least two different versions (VirusTotal  ) and the Malwr reports   show download locations from:
Date: 21 January 2016 at 12:57
Subject: Gompels Healthcare Ltd Invoice
Please see attached pdf file for your invoice
Thank you for your business
That marks it out as Dridex 220, similar to this spam run. However, the executable has change from earlier and now has an MD5 of 95a1e02587182abfa66fdcf921ee476e and a zero detection rate at VirusTotal. However, the malware still phones home to the same IP of 18.104.22.168 as before.