From: Brandi Riley [BrandiRiley21849@horrod.com]
Date: 15 February 2016 at 12:20
Subject: Overdue Invoice 089737 - COMS PLC
The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results   ). The Hybrid Analysis shows an attempted download from:
This is hosted on an IP that you can assume to be malicious:
18.104.22.168 (Veraton Projects, BZ / DE)
The dropped executable (detection rate 4/54) then phones home to:
22.214.171.124 (Reg.Ru Hosting, Russia)
126.96.36.199 (Cyberindo Aditama, Indonesia)
188.8.131.52 (System Projects LLC, Russia)
The payload is the Dridex banking trojan.