From: Kristina Preston [Kerry.email@example.com]The names and references change between different versions, but in all cases there is a malicious DOC file attached. This DOC has an unusual structure in that it is a some sort of MIME file containing a mixture of HTML and Base64-encoded segments.
Date: 11 May 2015 at 12:56
Subject: Payment details and copy of purchase [TU9012PM-UKY]
On 08/05/15 you have requested full payment details and copy of purchase. Please refer to document in the attachment.
Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
My source has analysed that this downloads a VBS file from Pastebin at pastebin[.]com/download.php?i=FsYQqTaj which then downloads some sort of .NET binary from 91.226.93[.]14:8080/stat/get.php (Sobis, Russia)
This binary has a detection rate of 2/56 and according to automated analysis tools   it communicates with:
22.214.171.124 (FastVPS, Estonia)
It also drops a DLL with an MD5 of f0d261147d2696253ab893af3d125f53 and a detection rate of 1/56.