From: Hillary Odonnell [Hillary.OdonnellF@eprose.fr]The person it is "From", the reference nu,ber and the company name vary from spam to spam. All the samples I have seen have the name "Jake Gill" in the body text. Attached is a semi-random RTF document (for example, DOC02973338131560.rtf).
Date: 13 April 2016 at 18:40
Subject: Prompt response required! Past due inv. #FPQ479660
I am showing that invoice FPQ479660 is past due. Can you tell me when this invoice is scheduled for payment?
Accounts Receivable Department
(094) 426 8112
There seem to be several different versions of the attachment, I checked four samples     and VirusTotal detection rates seem to be in the region of 7/57. The Malwr reports for those samples are inconclusive     (as are the Hybrid Analyses    ) but do show a failed lookup attempt for the domain onlineaccess.bleutree.us (actually hosted on 18.104.22.168 - MnogoByte, Russia). The payload appears to be Dridex.
We can see a reference to that server at URLquery which shows an attempted malicious download. It also appears in this Hybrid Analysis report. At the moment however, the server appears to be not responding, but it appears that for that sample the malware communicated with:
22.214.171.124 (Culturegrid.nl, Netherlands)
126.96.36.199 (OVH, Spain)
188.8.131.52 (TANET, Taiwan)
184.108.40.206 (FPT Telecom Company, Vietnam)
These are all good IPs to block.
According to DNSDB, these other domains have all been hosted on the 220.127.116.11 address:
You can bet that they are all malicious too.