From: Hilda BucknerIn that case, the attachment is victimname_JM_1646.doc (other messages have differently-named attachments, but all with the victim's name in them) which in this case contains this malicious macro [pastebin].
Date: 4 August 2015 at 13:29
Subject: Need your attention: OO-6212/863282
Hope you are well
Please find attached the statement that matches back to your invoices.
Can you please sign and return.
What that macro does (other ones may be slightly different) is download a VBS script from pastebin.com/download.php?i=0rYd5TK3 [link here, safe to click] which is then saved as %TEMP%\nnjBHccs.vbs.
That VBS then downloads a file from 220.127.116.11/bt/bt/ched.php which is then saved as %TEMP%\JHVHsd.exe which currently has a detection rate of zero (MD5 = 00dca835bb93708797a053a3b540db16).
The Malwr report indicates that this phones home to 18.104.22.168 (NFrance Conseil, France). The payload is probably the Dridex banking trojan.
Note that the malware also sends apparantly non-malicious traffic to itmages.ru , for example:
Therefore I would suggest that monitoring for traffic to itmages.ru is a fairly good indicator of compromise.