From "email@example.com" [firstname.lastname@example.org]
Date Thu, 23 Jul 2015 18:23:44 +0700
Subject Order Form for Job Number 2968347
Thanks for your order, job reference 2968347. Please open the attached order form,
read it and check it.
To Accept your order:
- Visit http://www.printing.com/uk/
- Sign in (see below if you don't have a username or you've forgotten your password);
- In the "My Orders" section, click on job 2968347;
- Click the "Accept" button at the bottom of the screen;
If you have any queries about the order please call me before you accept it.
Thanks again for your order!
Cargo Fleet Offices
Tel: 01642 205649
Franchises are independently owned and operated under licence. Dan James Limited.
Registered in England No. 5164910 Registered Address: Rede House, 69-71 Corporation
Road, Middlesbrough, TS1 1LY VAT Registration No.: GB 847 8229 85
Attached is a file OrderForm2968347.docm which I have seen in three different versions (there are maybe more) with various detection rates   . They contain a malicious macro like this one [pastebin].
The macro downloads a malicious binary from one of the following locations:
All of these are on the same compromised OVH France server of 22.214.171.124. The binary has a detection rate of just 2/54 and it is saved as %TEMP%\ihhadnic.exe. Automated analysis    shows attempted network traffic to:
126.96.36.199 (PlusServer AG, Germany)
188.8.131.52 (Reg.Ru, Russia)
184.108.40.206 (Selectel, Russia)
The payload appears to be the Dridex banking trojan.