From: James Dudley [James.Dudley@hitec.co.uk]I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57. It contains this malicious macro [pastebin] which attempts to download a component from:
Date: 25 March 2015 at 09:38
Subject: Payment 1142
Payment sheet attached.
T 01353 624023
F 01353 624043
23 Regal Drive
This message has been scanned for viruses and malicious content by Green Duck SpamLab
..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57. Automated analysis of this binary is pending, but is so far inconclusive.
Incidentally, the macro contains this snippet:
' (File name: AddNewSheet.bas)
' Author: SENOO, Ken
' LICENSE: CC0
' (Last update: 2015-03-10T18:38+09:00)
All that means is that this Ken Senoo created and freely licensed a Visual Basic module that the bad guys are using. It does not mean that they have anything at all to do with this malware attack.
UPDATE: this interesting new tool from Payload Security gives some insight as to what the malware does. In particular, it phones home to:
126.96.36.199 (Steadfast Networks, US)
188.8.131.52 (OneGbits, Lithuania)
184.108.40.206 (Orange S.A., France)
220.127.116.11 (Tata Indicom, India)
18.104.22.168 (Digital Networks aka DINETHOSTING, Russia)