From: Sagepay EU [email@example.com]Attached is a file INV00318132_V0072048_12312014.xls which appears to come in a wide variety of different versions (at least 11). The VirusTotal detection rate for a subset of these is 4/54      . Only a single Malwr report seemed to work, indicating the macro downloading from:
Date: 11 February 2016 at 13:21
Subject: Your Sage Pay Invoice INV00318132
Please find attached your invoice.
We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones. You should have already received an email that outlined the changes, however if you have any questions please contact firstname.lastname@example.org or call 0845 111 44 55.
0845 111 44 55
This dropped executable has a detection rate of 3/54. The Malwr report shows it phoning home to:
184.108.40.206 (ispOne business GmbH, Germany)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.