From: Monika [firstname.lastname@example.org]
Date: 20 January 2015 at 07:18
Subject: Proforma Invoice
Please find enclosed the proforma invoice for your order. Please let me know when payment has been made, so that the goods can be despatched.Kind regards,Monika GoetzSales & Marketing Co-ordinator
The document attached is Proforma.doc which is currently undetected by AV vendors. It contains a malicious macro [pastebin] which attempts to download a binary from:
..which is saved to %TEMP%\324234234.exe. This has a VirusTotal detection rate of 2/56 and the Malwr report shows it attempting to phone home to:
22.214.171.124 (HKBN, Hong Kong)
126.96.36.199 (1&1, US)
These IPs have been used many times in similar recent attacks an I recommend you block them.
It also drops a DLL with a VirusTotal detection rate of 2/57. The payload appears to be the Dridex banking trojan.
See also this post about a related spam run also in progress this morning.