Date Wed, 01 Jul 2015 10:49:12 +0300
Subject Document Order 534-550719-84513074/1
Order: 534-550719-84513074 29/06/2015 09:35:46
Companies House WebFiling order 534-550719-84513074/1 is attached.
Thank you for using the Companies House WebFiling service.
Email: email@example.com Telephone +44 (0)303 1234 500
Note: This email was sent from a notification-only email address which cannot accept
incoming email. Please do not reply directly to this message.
In the same I saw, the attachment was named compinfo_534-550719-84513074_1.doc [VT 2/55] which contained this malicious macro [pastebin] which downloads a file from:
This is then saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of just 1/55. Automated analysis tools    indicates malicious traffic to:
126.96.36.199 (Hetzner, Germany)
This IP has been seen a few time recently. Blocking traffic to it is probably a good idea.
The payload is probably the Dridex banking trojan which usually drops via a DLL, although I have not been able to obtain a sample.