From "deborah Sherer" [firstname.lastname@example.org]Attached is a file Cleaning022958.doc which comes in three different versions (VirusTotal results   ) containing a macro that looks like this [pastebin] and downloads a malicious binary from one of the following locations:
Date Fri, 23 Oct 2015 17:03:19 +0700
Subject cleaning invoice
attached is invoice for payment
This email has been checked for viruses by Avast antivirus software.
This is saved as %TEMP%\lenderb2.exe and has a VirusTotal detection rate of just 1/55 (that's just a generic detection by Kaspersky).
That VirusTotal report plus this Hybrid Analysis report show network traffic to:
18.104.22.168 (Online SAS / Iliad Entreprises / Poney Telecom, France)
Private sources also identify these following IPs as part of the C2 infrastructure:
22.214.171.124 (Trinity College Hartford, US)
126.96.36.199 (Linode, US)
188.8.131.52 (Codero, US)
The payload appears to be the Dridex banking trojan.