From: Leonor StevensYesterday I saw several spam runs similar to this coming from Dridex botnet 120. There are many, many variations of the attachment although I do not believe that they are uniquely-generated.
Date: 7 January 2016 at 10:13
Subject: Your Latest Documents from Angel Springs Ltd [1F101177]
Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we've invested in upgrading our billing systems to make things a little easier for you.
Here's a few ways we've made it easier for you:
Your new documents are now attached to your email. You don't have to follow a link now to get to your documents.
Our customer portal has been upgraded to give you a clearer, simpler view of your documents and any outstanding invoices.
You can simply and easily raise any queries you may have through the customer portal.
Please note: you may wish to save your documents on initial viewing. However, after your first viewing you will be able to access copy documents by simply clicking the link.
If you would like to discuss or have any queries in relation to any of the documents then please do not hesitate to contact us on 0845 230 9555 and we will be more than happy to assist you. Please do not reply to this email.
To see Angel Springs latest special offer that will save you money and help support Make a Wish, please click on the attached document
With Kind Regards,
Angel Springs Ltd
The three samples I have sent for analysis so far has VirusTotal detection rates of 2/55    and the Malwr reports    show an initial communication with:
These IPs belong to:
22.214.171.124 (Ivanov Vitaliy Sergeevich, Ukraine)
126.96.36.199 (Private Person Anton Malyi, Ukraine)
188.8.131.52 (PE Tetyana Mysyk, Ukraine)
I note that 184.108.40.206 also hosts some bad things.. and the entire 220.127.116.11/20 block has a history of evil-ness   .
Note that there are probably other download locations. Check back later if you are interested.
These malicious documents drop a binary geroin.exe which has a detection rate of 3/54. The Malwr report for this shows it phoning home to:
18.104.22.168 (Hetzner, Germany)