From: O2 Lease [O2BusinessContracts@o2.com]
Date: 20 January 2016 at 09:05
Subject: Your device is on its way
This electronic message contains information from Telefonica UK or Telefonica Europe which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email.
HelloGreat news, you've accepted the O2 Lease terms and conditions and the hire agreement.We've put your order through. So we'll be sending your new device out in the next few days.Best regards
O2 Customer Service
You can find out more about being on O2 at o2.co.uk/hello
For the latest updates and news, why not follow us on or
This email is sent from Telefónica UK Limited, a company registered in England and Wales. Registered office: 260 Bath Road, Slough, Berkshire, SL1 4DX.
Switchboard: +44 (0)113 272 2000
Telefonica UK Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 1743099. VAT number: GB 778 6037 85
Telefonica Europe plc 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 05310128. VAT number: GB 778 6037 85
Telefonica Digital Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 7884976. VAT number: GB 778 6037 85
Attached is a file CCAConfirmedAgreement-07540353301-1052136.DOC which (if you can download it) comes in at least two versions (VirusTotal results  ) and the Malwr reports for those   show the malicious document downloading from:
www.helios.vn/98jh6d5/89hg56fd.exe [from this spam run]
There are probably some other download locations too. The dropped binary has an MD5 of 7db792adc71e9dc0f6bb28a5f802b7ab and a detection rate of 4/54. Those Malwr reports and the VirusTotal report indicate network traffic to:
220.127.116.11 (SoftCom America Inc., US)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, and the characteristics look like botnet 220.
The payload for today's Dridex 220 runs has been updated to 34781d4f8654f9547cc205061221aea5 with a detection rate of 1/54.