From: Lichelle Ebner [mailto:Lichelle5938@lagrinding.co.uk]So far I have seen just a single sample with an attachment I413136.doc which has a VirusTotal detection rate of 2/57 and which contains this malicious macro [pastebin], in turn this downloads a component from:
Sent: Tuesday, April 21, 2015 9:55 AM
Subject: LAG invoice I413136
Dear Accounts Payable,
Attached is a copy of invoice I413136 .The items were shipped. Please feel free to contact me if you have any questions or cannot read the attachment.
Thank you for your business.
L. A. Grinding Company
Ph. (818) 846-9134
..although there are probably different versions of the macro with different download locations, the binary itself should be the same in all cases. This is saved as %TEMP%\pierre6.exe and it has a detection rate of 5/56.
Automated analysis tools    show that it attempts to communicate with a familiar IP:
220.127.116.11 (StarNet SLR, Moldova)
According to this Malwr report it also drops a malicious Dridex DLL with a detection rate of 3/56.