Malware spam: "Jean Pierre Kibung" / "0150363108788101_02416060_1.xls"

This spam looks like an advanced free fraud, but instead it comes with a malicious attachment. The email appears to originate from within the victim's own domain, but this is a simple forgery and does not mean that you have been hacked.

From:    Jean Pierre Kibungu [jpie.kibungu@victimdomain]
Date:    20 November 2015 at 09:56
Subject:    0150363108788101_02416060_1.xls

Please find attached the swift of the transfer of $30000.

Kind regards
Jean Pierre Kibungu

INCAT


JEAN PIERRE KIBUNGU AVAR-DA-VISI
GENERAL MANAGER
INCAT OILFIELD LOGISTICS (DRC) LTD
Site:
Mob: + 243 998 01 95 01
Headoffice:
Tel.  +44(0) 1534 758859
Fax: +44(0) 1534 758834

The telephone number does match that of a genuine company in Jersey, but they are not sending this spam. The attachment is named 0150363108788101_02416060_1.xls and so far I have seen just one version of this with a VirusTotal detection rate of 4/53. It contains this malicious macro [pastebin].

Analysis of the spreadsheet is pending, but the payload is almost definitely the Dridex banking trojan.

UPDATE

Sources tell me there are at least two variants with download locations of:

betterimpressions.com/~impressions/65y3fd23d/87i4g3d2d2.exe
192.186.227.64/~irma1026/65y3fd23d/87i4g3d2d2.exe

This has an MD5 of d410a45dc4710ea0d383dee81fbbcb6f and a VirusTotal detection rate of 4/52. According to that VirusTotal report and this Malwr report, it makes a network connection to:

157.252.245.32 (Trinity College, US)

I strongly recommend that you block traffic to that IP.