From: firstname.lastname@example.orgAttached is a Word document AIG02377973-InsuranceInspectionArranged.doc which comes in at least two different versions, neither of which are detected by AV vendors  . These documents contain two slightly different malicious macros   which attempt to download a further component from:
Date: 19 January 2015 at 07:24
Subject: Insurance Inspection Arranged AIG02377973
FMG is committed to reducing its impact on the environment. Please don't print this email unless absolutely necessary.
Have you been impressed by one of our people?
If so, we'd love to hear about it. You can nominate someone for a Spirit award by emailing email@example.com
FMG Support Group Ltd. Registered in England. No. 06489429.
Registered office: FMG House, St Andrews Road, Huddersfield, HD1 6NA.
Tel: 0844 243 8888
This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you received this email by mistake, please advise the sender by using the reply facility in your email software.
Outbound Message checked by Websense Mail Control.
This is saved as %TEMP%\324234234.exe which has a VirusTotal detection rate of 2/57. The Malwr report shows it attempting to communicate with the following IPs:
126.96.36.199 (HKBN, Hong Kong)
188.8.131.52 (1&1, US)
These two IP addresses have been used by this malware for a long time, I strongly recommend you block them. Also, a malicious DLL is dropped on the infected system with a detection rate of just 2/53.