From: Kate Coffey
Date: 1 April 2015 at 15:00
Subject: Your Remittance Advice PEEL SOUTH EAST
Dear sir or Madam,
Please find attached a remittance advice (JT934IYIP.doc) for your information.
Should you need any further information, please do not hesitate to contact us.
PEEL SOUTH EAST
Attached is a Word document with a filename matching the body one in the text. Every email attachment we have seen so far is slightly different, but there seem to be just two different malicious macros   [pastebin] which download a component from one of the following locations:
Those servers are almost certainly entirely malicious, with IPs assigned to:
184.108.40.206 (Relink Ltd, Russia)
220.127.116.11 (Sysmedia, Russia)
This file is saved as %TEMP%\DOWUIAAFQTA.exe and has a VirusTotal detection rate of 4/49. Automated analysis tools    show attempted connections to:
18.104.22.168 (TheFirst-RU, Russia)
22.214.171.124 (Digital Ocean, US)
126.96.36.199 (Portlane AB, Sweden)
188.8.131.52 (Data Communication Business Group, Taiwan)
184.108.40.206 (Private Layer Inc, Switzerland)
220.127.116.11 (Telefonica Moviles Espana, Spain)
18.104.22.168 (OVH / Simpace.com, UK)
According to this Malwr report it downloads the same Dridex DLL as seen in this spam run plus another variant of the downloader with a detection rate of 3/56.