Date: 6 January 2015 at 08:56
Subject: This is your Remittance Advice #ATS29858
DO NOT REPLY TO THIS EMAIL ADDRESS
Please find attached your remittance advice from Saint Gobain UK.
For any queries relating to this remittance please notify the Payment Enquiry Team on 01484913947
SGBD National Payments Centre
Note that this email is a forgery. Saint Gobain UK are not sending the spam, nor have their systems been compromised in any way. Instead, criminals are using a botnet to spam out malicious Excel documents.
Each email has a different reference number, and the attachment file name matches. The telephone number is randomly generated in each case, using a dialling code of 01484 which is Huddersfield (in the UK). There will probably be a lot of confused people in Huddersfield at the moment.
There are actually four different version of the malicious Excel file, none of which are detected by anti-virus vendors     containing four different but similar macros     [pastebin] which then download a component from one of the following locations:
This file is downloaded as test.exe and it then saved as %TEMP%\1V2MUY2XWYSFXQ.exe. It has a VirusTotal detection rate of just 3/48. That report shows that the malware then connects to the following URLs:
220.127.116.11 is allocated to PE "Filipets Igor Victorovych" in Ukraine. 18.104.22.168 is Private Layer Incin Panama. I would definitely recommend blocking them and possibly the entire /24s in which they are hosted.
The Malwr report shows no activity, indicating that it is hardened against analysis.