From: firstname.lastname@example.orgThis spam is not from UK Fuels Ltd or ebillinvoice.com and is a forgery. Attached is a malicious Word document which in the sample I have seen is undetected by AV vendors. This downloads a file from the following location:
Date: 11 December 2014 at 08:06
Subject: UK Fuels E-bill
Customer No : 35056
Email address : [redacted]
Attached file name : 35056_49_2014.doc
Please find attached your invoice for Week 49 2014.
In order to open the attached DOC file you will need
the software Microsoft Office Word.
If you have any queries regarding your e-bill you can contact us at email@example.com.
UK Fuels Ltd
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
This is downloaded and saved to %TEMP%\LNKCLHSARFL.exe. This binary only has a detection rate of 3/56 at VirusTotal.
The Malwr report shows that it POSTs data to 220.127.116.11 (Ministry of Education, Thailand), which has been commonly used in this sort of attack (I strongly recommend that you block this IP). It also drops a DLL which is probably Dridex, which has a detection rate of only 1/55.
UPDATE 2014-12-12Another spam run pushing this is in progress, with two different Word attachments seen so far (all called 35056_49_2014.doc. These are currently undetected by AV vendors   and contains two slightly different macros   [pastebin] that then attempt to download a binary from one of the following locations:
This is then saved as %TEMP%\RPDWVRNDBGX.exe. This executable is malicious but has a VirusTotal detection rate of just 2/56. The ThreatExpert report shows connections to:
18.104.22.168 (Ministry of Education, Thailand)
22.214.171.124 (1&1, US)
Both these IPs have been seen before and are definitely worth blocking. According to the Malwr report, this executable drops a DLL widely identified as the Dridex banking trojan.