From: Adeline Harrison [HarrisonAdeline20@granjacapital.com.br]I have seen at least four different variations of the attachment, named in the format remittance_advice14DDA974.doc (VirusTotal results    ). These Malwr reports     show those samples communicating with:
Date: 19 January 2016 at 09:45
Subject: Remittance Advice 1B859E37
For the attention of Accounts Receivable,
We are attaching an up to date remittance advice detailing the latest payment on your account.
Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
Senior Finance Assistant, Bellingham + Stanley
Bellingham + Stanley
Kent, TN2 3EY
Office: +44 (0) 1892 500406
Fax: +44 (0) 1892 543115
Those IPs are:
184.108.40.206 (Veraton Projects, Netherlands)
220.127.116.11 (ITL Company, Ukraine)
UPDATE 1: this related spam run also downloads from:
This is allocted to "Private Person Anton Malyi" in Ukraine.
A file aarab.exe is dropped (MD5 05219ea0aefedc873cecaa1f5100c617) [VT 4/53] which appears to communicate with:
18.104.22.168 (OVH, Canada)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.
This other Dridex 120 spam run uses different download locations:
The dropped "aarab.exe" file is also different, with an MD5 of c19959c2d372a7d40d4ba0f99745f114 and a detection rate of just 2/54.