From: Zorita [email@example.com]The Word document attempts to persuade the victim to remove the security settings from the application:
Date: 11 September 2014 15:02
Subject: rooms reservation
Dear Hotel Manager,
I would like to reserve accommodation for 5 single rooms in your hotel for 7 nights for 5 guests.
Arrival date will be on 16 September.
List any special requirements attached to letter.
Thank you for your prompt attention to the above, I look forward to receiving a letter confirming my reservation.
The text says:
This error usually occurs because of macro security settings. To check your macro security settings, click the Microsoft Office Button, click Microsoft Word Options, click Trust Center, and then click Trust Center Settings. If macro security is set to Disable all macros without notification, all macros are automatically disabled. Use the following procedure to enable the macro. In the Trust Center dialog box, click Macro Settings, and then click Disable all macros with notification. Click OK in the Trust Center dialog box to apply the new setting. Click OK to close the program options dialog box. Close the file and the Microsoft Word. Open the file again. A Security Alert appears in the Document Information Bar just below the ribbon. Click Enable Content to allow the macro to run.The document itself has a VirusTotal detection rate of 9/54.
If you are foolish enough to do this, the document will then download an additional component from colfdoc.it/cart/update.exe (126.96.36.199) which in turn has a detection rate of 5/55. The ThreatTrack report [pdf] shows that the malware attempts to communicate with:
I would recommend blocking the following: