From: Circor [DONOTREPLY_JDE@circor.com]
Date: 31 March 2015 at 10:32
Subject: CIT Inv# 15013919 for PO# SP14384
Please do not respond to this email address. For questions/inquires, please
contact our Accounts Receivable Department.
This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc.
For more information please visit http://www.symanteccloud.com
In the sample I have seen, there is an attachment FOPRT01.doc which has a VirusTotal detection rate of 5/57. It downloads a binary from:
This binary is the same as used in this attack and it has the same payload.