Malware spam: "Refund from Bowater Incorporated" / PayPal

This fake PayPal email leads to malware:

From:    service@paypal.co.uk
Date:    11 November 2015 at 16:27
Subject:    Refund from Bowater Incorporated

	Bowater Incorporated has just sent you a refund Wed, 11 Nov 2015 17:27:26 +0100 Transaction ID: 47E30904DC4145388 Dear Customer, Bowater Incorporated has just sent you a full refund of £7849.90 GBP for your purchase. If you have any questions about this refund, please contact Bowater Incorporated The refund will go to your PayPal account. It may take a few moments for this transaction to appear in your account. To see all the transaction details, please download and view from the link below. https://www.paypal.com/uk/cgi-bin/webscr?cmd=view-a-trans&id=47E30904DC4145388 Merchant information Bowater Incorporated Note from merchant None provided Original transaction details Description Unit price Qty Amount Purchase from Bowater Incorporated £7849.90 GBP 1 £7849.90 GBP Insurance: ---- Total: £7849.90 GBP Refund to PayPal Balance: £7849.90 GBP Invoice Number: 59266315 Yours sincerely, PayPal

Help | Security Please do not reply to this email because we are not monitoring this inbox. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page. Copyright Š 1999-2015 PayPal. All rights reserved. PayPal (Europe) S.a.r.l. et Cie, S.C.A. Societe en Commandite par Actions Registered office: 64-75 Boulevard Royal, L-3369 Luxemburg RCS Luxemburg B 205 162 PayPal Email ID PP1479 - nsjwiqin1ob5c

The link in the email goes to a download location at sharefile.com which leads to a file transaction details.zip containing a malicious executable transaction details.scr.

This binary has a VirusTotal detection rate of just 1/55. The Hybrid Analysis report shows network traffic consistent with Upatre download the Dyre banking trojan. One key IP address in 197.149.90.166 (Cobranet, Nigeria) which is well worth blocking.

MD5:
28989811c6b498910637847d538e43bf