This fake financial spam comes with a malicious attachment:
From info17@Resellers.insureandgo.comThe sender appears to be from info[some-random-number]@Resellers.insureandgo.com, but it is just a simple forgery. Attached is a malicious Word document that I have seen five different versions of (VirusTotal results     ).
Date Tue, 19 Jan 2016 14:27:06 +0530
Subject Thank you for purchasing from Cheaper Travel Insurance - 14068156
Your policy number: MF/CP/205121/14068156
Dear customer, Thank you for buying your travel insurance from Cheaper.
Your policy documents are attached.
Quote number: 21272810
Policy number: MF/CP/205121/14068156
Insurance is arranged by Insure & Go Insurance Services Ltd who are authorised and regulated by the Financial Conduct Authority. Insure & Go Insurance Services Ltd Registered Address: 10th Floor Maitland House, Warrior Square, Southend-on-Sea, Essex SS1 2JY. Registered in England and Wales (Company Number: 04056769). Calls may be recorded and monitored.
The Malwr reports on the samples      show download locations as:
This has a VirusTotal result of 3/54. The Malwr and VirusTotal reports combined with this Hybrid Analysis show traffic to:
22.214.171.124 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)
126.96.36.199 (Bulgarian Academy Of Sciences, Bulgaria)
188.8.131.52 (Triara.com, S.A. de C.V., Mexico)
184.108.40.206 (Ignum s.r.o, Czech Republic)
220.127.116.11 (Ozhosting.com Pty Ltd, Australia)
18.104.22.168 (TE Data, Egypt)
22.214.171.124 (Linknet, Indonesia)
126.96.36.199 (Network Devices, Turkey)
The payload is the Dridex banking trojan, and this activity is consistent with the botnet 220 campaign.
Dropped file MD5:
The payload has now changed to one with an MD5 of 4f272b8af966ccd73880888015d87e40 and a detection rate of 2/54. The Malwr report indicates that the network behaviour is pretty much the same.