From: Circor [_CIG-EDI@circor.com]Don't be fooled by the email signature, the attachment is definitely nasty. So far I have only seen one version with a detection rate of 4/55, which contains a malicious macro [pastebin] that downloads a component from:
Date: 3 February 2015 at 09:56
Subject: CIT Inv# 15000375 for PO# SP14161
Please do not respond to this email address. For questions/inquires, please
contact our Accounts Receivable Department.
This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc.
For more information please visit http://www.symanteccloud.com
..which is then saved as %TEMP%\\dsfsdf.exe. This has a VirusTotal detection rate of 3/48 (it is identified as a Dridex component). According to the Malwr report, this phones home to a couple of IPs that I haven't seen before:
22.214.171.124 (Universidade De Sao Paulo, Brazil)
126.96.36.199 (MWTV SIA, Latvia)
It also drops a DLL with a detection rate of 3/56.