From: firstname.lastname@example.orgAttached is a malicious Word document 15040BII3646501.doc which has a VirusTotal detection of 6/54. The Malwr report gives a little detail as to what it going on, but the crux of it is that if you have macros enabled then they will download and execute a malicious binary from http://gpsbah.com/images/1.exe which has a VirusTotal detection rate of 11/53 and which the Malwr report indicates then connects to the following URLs:
Date: 21 October 2014 15:21
Subject: Industrial Invoices
Attached are accounting documents from Humber Merchants
Humber Merchants Group
Tel: 01724 860331
Fax: 01724 281326
Automated mail message produced by DbMail.
Registered to Humber Merchants Limited , License MBS2008354.
22.214.171.124 is a Serverloft / Intergenia IP address in Germany.
Another version of the attachment is doing the rounds, this time the attachment has a detection rate of 0/54 (Malwr report) but in this case it downloads a file from http://jvsfiles.com/common/1.exe which has a detection rate of just 1/54.
According to the Malwr report, that binary contacts the following URLs:
126.96.36.199 is 1&1, Germany and 188.8.131.52 is Hostway, Belgium.
This executable drops a DLL on the system which is also poorly detected with a detection rate of 1/54.
A fresh round of spam has started with the same template. So far I have seen two documents with low detection rates   [Malwr report] that drop one of two malicious binaries   [pastebin] from one of these locations:
This is also poorly-detected according to VirusTotal. The Malwr report for this shows that it reaches out to the following URL (again):
It also drops a DLL identified by VirusTotal as Dridex.