Malware spam: "You have received a new secure message from BankLine"

For some reason these RBS BankLine spam messages are a popular mechanism for the bad guys to spread malware.

From:    Bankline [secure.message@rbs.com.uk]
Date:    23 January 2015 at 12:43
Subject:    You have received a new secure message from BankLine

You have received a secure message.

Read your secure message by following the link bellow:

http://donumyok.com/RBS-DATA.STORAGE/personal.document.html

----------------
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly.
For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 3513.

The link in the email seems to be somewhat dynamic, as I have also seen this slightly different variant of:

http://donumyok.com/RBS_BANK-ONLINE_SECURE_STORAGE/receive.personal-document.html

The landing page looks like this:

The link on that landing page goes to http://animation-1.com/js/jquery-1.41.15.js?get_message which downloads a ZIP file called Bankline_document_pdf71274.zip (or something similar) containing an executable file named something like Bankline_document_pdf24372.exe. The numbers change in each case, and indeed the executable changes slightly every time it is downloaded.

The ThreatExpert report shows that it attempt to communicate with the well-known-bad-IP of 202.153.35.133 (Excell Media Pvt Ltd, India) which is associated with the Dyre banking trojan.