From: Bhavani Gullolla [email@example.com]The attachment is randomly-named in the format 9705977867.doc which I have seen in two different versions with detection rates of 5/54  , and according to the Malwr reports   they both download a malicious binary from:
Date: 12 January 2016 at 09:51
Subject: Payment Advice - 0002014343
This is to inform you that we have initiated the electronic payment through our Bank.
Please find attached payment advice which includes invoice reference and TDS deductions if any.
Transaction Reference :
Vendor Code :9189171523
Company Code :WT01
Payer/Remitters Reference No :63104335
Beneficiary Details :43668548/090666
Paymet Method : Electronic Fund Transfer
Payment Amount :1032.00
Processing Date :11/01/2016
For any clarifications on the payment advice please mail us at firstname.lastname@example.org OR
call Toll Free in India 1800-200-3199 between 9:00 am to 5:00 pm IST (Mon-Fri) OR contact person indicated in the purchase order.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
This download location is characteristic of the Dridex 220 botnet. The downloaded binary has a detection rate of 4/55 and this Malwr report shows network traffic to:
126.96.36.199 (Interserver Inc, US)
I strongly recommend that you block this IP address.
Attachment MD5s (there are probably others!)
There is an additional download location of:
The payload has changed but still has similar characteristics to before [VirusTotal report / Malwr report].