From: QuintonAttached is a Word document with a random name, but always starting with "TAX_". Examples include:
Date: 23 January 2015 at 08:18
Subject: 2014 Tax payment issue
According to your tax payments for 2014 year period we found that you gave a wrong legal address in your last tax payment. In order to avoid penalty fees on your tax dues we ask you to contact our specialist having checked the previous payment in advance (the DOC invoice attached below).
From: Tara Morris
Date: 23 January 2015 at 09:28
Subject: Your tax return was incorrectly filled out
This is to inform you that your legal address was filled incorrectly while completing the last tax form application for 2014 year.
In order to avoid penalty fees during the next tax period please contact our expert as soon as you check the payment details (the DOC invoice attached below).
There are two different variants of this Word document that I have seen so far, neither are detected by AV vendors   containing one of two malicious macros   that download a file 20.exe from the following URLs:
This file is then saved to %TEMP%\GYHjksdf.exe and has a low detection rate of 2/56 (Norman AV identifies it as Dridex). The Malwr analysis is inconclusive, other analysis is pending.