From: Gail Walker [firstname.lastname@example.org]So far I have seen two different malicious Word documents (there may be more) with low detection rates   containing a different macro each  . These download a component from the following locations:
Date: 11 February 2015 at 09:52
Subject: Outstanding Invoice 271741
Payment for your Season Ticket was due by 31 January 2015 and has not yet been received. A copy of the invoice is attached.
By way of a reminder, the Season Ticket entitles all members of your organisation to save up to 50% on our public seminars and webinars. Since being a Season Ticket Holder your organisation has saved £728.50.
Please arrange for payment by return by BACS, cheque, or credit card. If payment has been arranged and just not reached us yet then please ignore this email.
If you have any queries, please do not hesitate to contact us.
MBL (Seminars) Limited
The Mill House
6 Worsley Road
Tel: +44 (0)161 793 0984
Fax: +44 (0)161 728 8139
This file is saves as %TEMP%\dsHHH.exe. It has a VirusTotal detection rate of 10/57. Automated analysis tools    show attempted connections to the following IPs:
126.96.36.199 (Comfortel, Russia)
188.8.131.52 (OVH, France / Olga Borodynya, Russia)
184.108.40.206 (Hetzner, Germany)
220.127.116.11 (Microtech Tel, US)
18.104.22.168 (Webazilla, Netherlands / Fozzy Inc, US)
22.214.171.124 (Mchost, Russia)
The Malwr report suggests an attempt to connect to these nonexistent domains:
It also drops a DLL with a detection rate of 3/57 which is probably Dridex.
For researchers, a copy of the files can be found here. Password is infected.
UPDATE 2015-02-12Another spam run is under way, with the same text but two different DOC files with zero detections   containing one of two malicious macros   that download another component from one of the following locations:
The payload appears to be the same as the one used in this spam run.