Malware spam: "STA19778072 - BACS PAYMENT"

This fake financial spam comes with different sender names, reference details and attachment names. However, in all cases the attachment is malicious.

From:    Forrest Cleveland
Date:    6 January 2016 at 11:23
Subject:    STA19778072 - BACS PAYMENT

Importance: High

Hello,

Wasn’t sure who to email.

I don’t know if you have been asked but Statestrong Products Ltd are making one payment today for two cars. Could you let me know when it is in the account please as these are both collections tomorrow.

YG15XVK paid set up fee by card
£455.99 Incl vat rental
£500 deposit

DE64ZXM
£210 setup fee
£431.99 Incl vat rental
£500 deposit

Total - £2097.98

Thanks

Lorie

So far I have seen three different attachment variants (VirusTotal results [1] [2] [3]) and these Malwr reports [4] [5] [6] indicate the same general characteristics as this spam run. However in this case the dropped file tsx3.exe has been updated and the new version has a detection rate of 6/54. The Malwr report indicates very similar traffic to before.

Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224