From: Margery GeorgeThe reference number in the subject is randomly generated and is reflected in the filename (in this case De_634746Q.doc. There are two different variants I have seen with low detection rates at VirusTotal  . These contain two slightly different malicious macros   [pastebin] which download a file test.exe from one of the following locations:
Date: 11 November 2014 11:50
Subject: INV634746Q Duplicate Payment Received
I refer to the above invoice for which we received a bacs payment of £689.75 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.
If you have any queries regarding this matter, please do not hesitate to contact me.
I look forward to hearing from you .
Note that the IPs are very close, and both belong to Clodo-Cloud / IT House Ltd in Russia. The file is then copied to %TEMP%\NYHEFLJDPZR.exe which has a VirusTotal detection rate of just 1/53.
According to the Malwr report this malicious binary then connects to the following URLs:
It also drops a malicious DLL identified which has some generic VirusTotal detection only, but is probably Cridex or Dridex.