From: Chris Christou [email@example.com]
Date: 26 February 2015 at 10:45
Subject: Copy invoices
Please find copy invoices attached as per our telephone conversation.
Gardiners Lane South
Essex SS14 3AP
Tel: 0845 130 9070
Fax: 0845 370 9071
P “Think before you Print” - Please consider the environment before printing this e-mail
It does NOT come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery.
I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57] which contains this malicious macro [pastebin] which downloads a further component from:
This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56. Automated analysis tools   show it attempting to phone home to the following IPs:
220.127.116.11 (MWTV, Latvia)
18.104.22.168 (Webazilla, US)
22.214.171.124 (One Telecom, Moldova)
126.96.36.199 (Net 3, US)
This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57] and 1997b0031ad702c8347267db0ae65539 [VT 4/57].