Date: 21 April 2016 at 10:33
Thank you for placing your order with BalanceUK Ltd
Please find attached your document.
30-32 Martock Business Park,
Great Western Road,
Tel: 01935 826 960
Fax: 01935 829 215
*** Please do not reply to this email address ***
Attached is a ZIP file with a name that matches the reference in the subject field (e.g. BalanceUK_X271897_1127878.zip). Although I have seen a few samples with different names, they are all the same attachment. Inside that ZIP file is another ZIP file named 4812610-20.04.2016.zip and in there is a malicious script named 4812610-20.04.2016.js with a VirusTotal detection rate of 6/56.
This malicious script [pastebin] downloads an executable from:
There are usually different download locations, but so far I have only seen the one. This has a detection rate of 5/56. The Hybrid Analysis of the dropped binary shows network traffic to:
126.96.36.199 (MultiNet AS, Norway)
188.8.131.52 (Novanet da Barra Ass e Inf LTDA, Brazil)
The payload is not clear, but is probably the Dridex banking trojan.