From: [1NAV PROD RCS] [mailto:email@example.com]
Subject: Order Confirmation RET-385236 250615
Please find attached your Sales Order Confirmation
Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.
In the sample I have seen, the attachment is called Order Confirmation RET-385236 250615.doc which contains this malicious macro [pastebin] which downloads a component from the following location:
Usually there are several different version of the macro, each one loading an identical binary but from different locations. This file is saved as %TEMP%\biksenpd.exe and has a VirusTotal detection rate of 7/55.
According to various automated analysis tools, the sample doesn't seem to run properly     but it looks like it tries to send traffic to the following IPs:
220.127.116.11 (Strategic Systems Consulting, US)
18.104.22.168 (OneGbits, Lithuania)
22.214.171.124 (ASDL Subscriber, Iran)