From: Matthews, Tina [email@example.com]Running in parallel to this is another claiming to be from UK firm AquaAid which has been going on for a long time. In the first case the attachment is 20150326094147512.doc and in the second it is CAR015890001.doc, but they are the same malicious document.
Date: 9 April 2015 at 10:48
Subject: Credit card transaction
Here is the credit card transaction that you requested.
Royal Wholesale Electric
2801 East 208th Street
Carson, CA 90810
The document is currently undetected by AV vendors and contains a malicious macro [pastebin] which downloads a binary from:
This is saved as %TEMP%\ittext1.5.exe and has a VirusTotal detection rate of 3/49. Automated analysis tools     show traffic to the following IPs:
22.214.171.124 (Docker Ltd, Russia)
126.96.36.199 (Microtech Tel, US)
188.8.131.52 (Cadr-TV LLE TVRC, Ukraine)
184.108.40.206 (World Internetwork Corporation, Thailand)
220.127.116.11 (OneGbits, Lithuania)
18.104.22.168 (DigitalOcean Cloud, Singapore)
22.214.171.124 (University Of Chicago, US)
126.96.36.199 (Corgi Tech Limited, UK)
188.8.131.52 (Digital Ocean, UK)
184.108.40.206 (Digital Networks CJSC aka DINETHOSTING, Russia)
220.127.116.11 (Hutchison 3G, UK)
According to the Malwr report is also drops another variant of the downloader [VT 4/57] and a Dridex DLL [VT 4/57].