From: reed.co.uk Credit Control [mailto:firstname.lastname@example.org]The only sample I have seen so far has an attachment 29172230_15.06.15.doc [detection rate 3/57] which contains this malicious macro [pastebin] which downloads a component from the following location:
Sent: Monday, June 15, 2015 11:10 AM
Subject: Payment Confirmation 29172230
Many thanks for your card payment. Please find payment confirmation attached below.
Should you have any queries, please do not hesitate to contact Credit Control Team on 0845 241 9293.
Credit Control Team
T: 020 7067 4584
F: 020 7067 4628
This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools    show traffoc to the following IPs:
220.127.116.11 (Hetzner, Germany)
18.104.22.168 (Charter Communications, US)
22.214.171.124 (Linode, US)
126.96.36.199 (OVH, France)
188.8.131.52 (Global Telecommunications Ltd, Russia)
According the this Malwr report, it also drops a Dridex DLL with a detection rate of 18/57.