From: IFS Applications [Do_Not_Reply@vitacress.co.uk]Attached is a file Payment Advice_593016.doc which is actually one of two different documents with zero detections at VirusTotal   and contain one of two malicious macros   [pastebin] that download a malware binary from one of the following locations:
Date: 15 December 2014 at 07:49
Subject: DOC-file for report is ready
The DOC-file for report Payment Advice is ready and is attached in this mail.
This file is saved as %TEMP%\DYIATHUQLCW.exe and is currently has a VirusTotal detection rate of just 1/52.
The ThreatExpert report and Malwr report shows attempted connections to the following IPs which have been used in many recent attacks and should be blocked if you can:
126.96.36.199 (Ministry of Education, Thailand)
188.8.131.52 (1&1, US)
The malware almost definitely drops the Dridex trojan onto the target system, but I have not been able to get a sample of this yet.
UPDATE 2014-12-16A second wave of spam is in progress with a pair of new malicious Word documents with low detection rates   containing new macros   that download a malicious file from the following locations:
This file is saved as %TEMP%\TQWTGECOROR.exe and it currently has a detection rate of just 1/54. The Malwr report shows it posting to 184.108.40.206 yet again, although it does not show the dropped Dridex binary that I would expect to see.