Malware spam: "Accounts Documentation - Invoices" / CreditControl@crosswater.co.uk

This fake financial spam does not come from Crosswater Holdings, but it is instead a simple forgery with a malicious attachment:

From:    CreditControl@crosswater.co.uk
Date:    8 February 2016 at 10:34
Subject:    Accounts Documentation - Invoices

Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.

If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
Alternatively if you do not know the name of the Credit Controller you can contact us at:

Accounts@crosswater-holdings.co.uk

or call us on 0845 873 8840

Please do not reply to this E-mail as this is a forwarding address only.

Attached is a malicious script ~13190.js which comes in at least two different variants (VirusTotal [1] [2]). According to automated analysis [3] [4] [5] [6] these scripts download from:

hydroxylapatites7.meximas.com/98876hg5/45gt454h
80.109.240.71/~l.pennings/98876hg5/45gt454h

This drops an executable with a detection rate of 3/53 which appears to phone home to:

188.40.224.73 (NoTag, Germany)

I strongly recommend that you block traffic to that IP address. The payload is likely to be the Dridex banking trojan.