From: Therese HoldenThe attachment is a Word document with a randomly-generated filename that matches the subject of the email, it contains a malicious macro [pastebin] with a VirusTotal detection rate of 0/52 (you can see the Malwr report here, it doesn't say much). In this case the macro downloads a file from http://18.104.22.168:8080/doc/9.exe and saves it as %TEMP%\DCITXEKBIRG.exe, this is also poorly detected with a detection rate of just 3/52.
Date: 4 November 2014 13:59
Subject: Remittance Advice November FO1864232P
Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP
Accounts Payable Department DUCO
The Malwr report shows that the malware reaches out to the following URLs:
It also drops a DLL on the system identified by VirusTotal as Cridex.