Date: 6 May 2015 at 12:44
Subject: Email from Transport for London
Please open the attached file to view correspondence from Transport for
If the attachment is in DOC format you may need Microsoft Word to
read or download this attachment.
Thank you for contacting Transport for London.
Customer Service Representative
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is prohibited. If you have received this email in error please notify the sender immediately by email and then permanently delete the email.
So far I have seen four different versions of the malicious Word document AP0210780545.doc, all with low detection rates     containing various macros    . These attempt to download an executable from one of the following locations:
This file is saved as %TEMP%\wiley5.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools    show attempted network traffic to:
220.127.116.11 (Filanco Ltd, Russia)
18.104.22.168 (StarNet, Moldova)
22.214.171.124 (RuWeb CJSC, Russia)
126.96.36.199 (Colobridge, Germany)
This Malwr report shows that it drops a Dridex DLL with a detection rate of 4/56.