From: Debbie BarrettThe attachment name combines the recipient's email address with the fake reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools manages to analyse it though, showing several steps in the infection chain.
Date: 12 May 2015 at 11:14
Subject: ATTN: Outstanding Invoices - [4697E0] [April|May]
Kindly find attached our reminder and copy of the relevant invoices.
Looking forward to receive your prompt payment and thank you in advance.
First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu
Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.
This component then connects to 188.8.131.52 (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56.
There are several different attachments, so far I have seen the following MD5s:
The MD5s for the malware components are: