From: email@example.com [mailto:firstname.lastname@example.org]
Sent: 16 May 2013 10:48
Subject: Successful Receipt of Online Submission for Reference 517794350
Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack. VirusTotal results are just 1/46, so either this is something completely new or it is a corrupt sample.
UPDATE: ThreatTrack reports that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus: