Date: 17 December 2014 at 07:27
Subject: Blocked ACH Transfer
The ACH transaction (ID: 618003565), recently sent from your online banking account, was rejected by the Electronic Payments Association.
ACH file Case ID 623742
Total Amount 2644.93 USD
Sender e-mail email@example.com
Reason for rejection See attached word file
Please see the document provided below to have more details about this issue.
Attached is a file ACH transaction 3360.doc which isn't actually a Word 97-2003 document at all, but a malicious Word 2007 document that would normally have a .DOCX extension (which is basically a ZIP file). The current VirusTotal detection rate of this is just 1/55.
Inside this is a malicious macro [pastebin] which downloads a file from:
This has a VirusTotal detection rate of just 1/54. The Malwr report shows it POSTING to 188.8.131.52 (Fornex Hosting, Germany) and also a query to 184.108.40.206 (Atlantic.net, US). Presumably this then drops additional components onto the infected system, although I do not know what they are.