From: Kate Williams
Date: 10 November 2014 09:40
Subject: invoice 8798556 November
Please find attached your November invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 8798556 Account No 5608798556.
Thanks very much
The number of the invoice is random and is consistent between the subject and attachment (in this case invoice_8798556.doc). There are two different attachments, both poorly-detected at VirusTotal   each containing a malicious macro  .
I haven't been able to analyse it myself yet, but according to this comment it downloads a binary from adeline.de/js/bin.exe which has a low VirusTotal detection rate and for which the comments from user borromini say:
Downloaded by malicious word doc with macro (f9d6161e1b26cf6faab4ac0eecde3a7d).
POST requests to
Also tried 220.127.116.11:8080 and 18.104.22.168:8080
The macros I mentioned download from the following locations:
The executable is then copied to %TEMP%\CQRZKMIESEX.exe and the ThreatTrack report [pdf] shows the malware connecting to 22.214.171.124 (Hostway, UK) where it POSTS to /hCsYvpW%26lZaTGPBgK$W%264P49%24%2BNU&Y/H%26%20@Kg
5SvSh8+unz%7Eg6f%24G on that server.