Date: 8 July 2015 at 18:02
Subject: Strange bank account operation
Kindly be informed that bank did noticed suspect attempt of money withdrawal relating to Your debit card.
Please find enclosed bank e-mail sent by financial department on Monday.
As well attached are security details for Your review.
Date: 1 January 1970 at 00:00
Subject: Suspicious bank account operation
Kindly be acknowledged that bank had found unauthorised attempt of amounts withdrawal from Your credit card.
Please find enclosed bank warning provided by bank manager earlier.
Also enclosed are security details for Your affirmation.
Date: 8 July 2015 at 17:59
Subject: Illegal bank account transfer
Kindly be informed that bank security department has found illegal attempt of money withdrawal from Your Mastercard account.
Please check the enclosed bank publication provided by banking department today.
As well attached are security details for Your approval.
Date: 8 July 2015 at 16:55
Subject: Strange bank account transfer
Kindly note that bank did noticed suspect attempt of amounts withdrawal related to Your Mastercard.
Please examine the enclosed bank statement sent by manager on Monday.
Furthermore attached are personal details for Your confirmation.
Date: 8 July 2015 at 17:51
Subject: Unauthorised bank account activity
Kindly be acknowledged that bank security department had detected suspect attempt of money withdrawal related to Your debit card.
Please check the enclosed bank statement forwarded by banking department today.
In addition attached are security details for Your control.
Attached is a Word document [VT 6/55]with various filenames:
All the samples I have seen have an identical document with different names, containing this malicious macro which then goes off and downloads various other components according to the Hybrid Analysis report, using the following URLs:
These appear to download as a set of malicious scripts    which then download a further component from:
This binary has a detection rate of 3/55. The Malwr report shows that it drops two other files, named as Zlatowef.exe [VT 3/55] and redtytme4.exe [VT 9/55] and it also downloads components from:
That IP is allocated to Cogent Communications in Mexico. The download is Upatre which means that the payload is almost definitely the Dyre banking trojan, even though the delivery mechanism of a Word document is unusual for Dyre.