Date: 16 July 2015 at 12:53Attached is a malicious Word document which in the two samples I saw was called
Subject: Excelent job !
Congratulations ! You will obtain a 25% commission for the latest sale. Please overlook the next papers to know the whole sum you've gained.
Daily you prove that you are the main force of our branch in the sales. I am elate and beholden to have such a gifted and able employee. Proceed the good achievements.
All the best.
Michelle Curtis Company management
Date: 16 July 2015 at 11:53
Subject: Good achievement !
Congratulations ! You will win a 40% rake-off for the latest sale. Please see the these documents to find out the entire sum you've won.
Everyday you assure that you are the head power of our group in the sales. I am sublime and beholden to get such a talented and skillful workman. Continue the good achievements.
With the best regards.
Sharon Silva Company management
Both these documents were identical apart from the filename, and have a VirusTotal detection rate of 4/55. Inside the document is this malicious macro [pastebin], which (according to Hybrid Analysis) downloads several components (scripts and batch files) from:
These are executed, then a malicious executable is downloaded from:
This has a VirusTotal detection rate of 8/55 and that report plus other automated analysis tools   phones home to the following malicious URLs:
That IP belongs to C2NET in the Czech Republic. It also send non-malicious traffic to icanhazip.com (a legitimate site that returns the IP address) which is a good indicator of compromise.
This malware drops the Dyre banking trojan.