From: Colin Fox [email@example.com]The attachment is Sales Invoice 519658.pdf [VT 2/57] This spam drops the Dridex banking trojan, but unlike other recent runs the attachment is a PDF file rather than an Office document. In fact, the PDF file contains a script that generates and drops a Word document named 6.doc [Malwr report, Payload Security report] [VT 4/55] which in turn contains a malicious macro that looks like this [pastebin].
Date: 24 April 2015 at 09:40
Subject: Invoice 519658
Please find Invoice 519658 attached
There may be different versions of the macro, but in this case it downloads a component from:
..which is saved as %TEMP%\pierre6.exe. This binary has a detection rate of 4/57 and automated analysis tools    show an attempted network connection to:
220.127.116.11 (RuWeb CJSC, Russia)
18.104.22.168 (TheFirst-RU, Russia)
22.214.171.124 (TheFirst-RU, Russia)
126.96.36.199 (StarNet SRL, Moldova)
In addition, the Malwr report says that it drops a Dridex DLL with a detection rate of 4/57.