Date: 12 February 2016 at 10:44
Subject: Your latest invoice from The Fuelcard Company UK Ltd
Please find your latest invoice attached.
If you have any queries please do not hesitate to contact our Customer Service Team at firstname.lastname@example.org
The Fuelcard Compa
The Fuelcard Company UK Ltd
St James Business Park Grimbald Crag Court Knaresborough HG5 8QB
Tel 0845 456 1400 Fax 0845 279 9877
Please consider the environment before printing this email.
This email and any files transmitted with it are confidential, maybe legally privileged, and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the system administrator and then kindly delete the message. If you are not the intended recipient, any disclosure, copying, distribution or any other action taken is prohibited, and may be unlawful. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Please note that once signed, The Fuelcard Company terms & conditions take precedence over all prior communications by any employee or agent of The Fuelcard Company. Once a client signs The Fuelcard Company terms & conditions, this will form the full extent of The Fuelcard Company’s agreed contract with the client.
E-mails may be corrupted, intercepted or amended and so we do not accept any liability for the contents received. We accept no responsibility for any loss caused by viruses. You should scan attachments (if any) for viruses.
Head Office: The Fuelcard Company UK Ltd, St James Business Park, Grimbald Crag Court, Knaresborough HG5 8QB
Registered number: 5939102
I have only seen a single sample with an attachment named invoice.xls with a detection rate of 5/54. Analysis is pending, but the payload is likely to be the Dridex banking trojan.
This Hybrid Analysis shows that this particular sample downloads from:
This is the same executable as found in this earlier spam run.