Date: 10 August 2015 at 10:17
Subject: Premium Charging MI Package for Merchant 17143013
*** Please do not reply to this Message *** Attached is the Management Information to support your Monthly Invoice. Should you have any queries, please refer to your usual helpdesk number.
So far I have seen only one sample with named 17143013 01.docm. Despite having a detection rate of 5/55 at VirusTotal, the document is malformed and is Base 64 encoded. When manually decoded it still has a detection rate of 5/55 and it contains this malicious macro [pastebin] which then downloads a component from:
This is exactly the same payload as seen in this spam run also from this morning.