Another malicious email arrived in my spam folder and again a new (to me) infection tactic.



Standard looking .doc attachment.



No macro warning, just an embedded file to open.



Double click and the above warning comes up to open an “.xls”.



After accepting the warning the file is extracted to the temp folder.



Code above which is mostly encoded with Base64.



The file is really a .vbs disguised as an .xls.



A few interesting points: creation and& last modified time, last modified by, author and company.



Buried in the file is the creator icon path in Russian, which is his/her PC username.



Decoded top part shows it connects, downloads and runs an .exe to the %temp% folder. Analysis shows it is a Dridex banking Trojan. Various elements suggest this comes from Russia or nearby.