From "deborah Sherer" [email@example.com]Attached is a file Cleaning022958.doc which comes in three different versions (VirusTotal results   ) containing a macro that looks like this [pastebin] and downloads a malicious binary from one of the following locations:
Date Fri, 23 Oct 2015 17:03:19 +0700
Subject cleaning invoice
attached is invoice for payment
This email has been checked for viruses by Avast antivirus software.
This is saved as %TEMP%\lenderb2.exe and has a VirusTotal detection rate of just 1/55 (that's just a generic detection by Kaspersky).
That VirusTotal report plus this Hybrid Analysis report show network traffic to:
220.127.116.11 (Online SAS / Iliad Entreprises / Poney Telecom, France)
Private sources also identify these following IPs as part of the C2 infrastructure:
18.104.22.168 (Trinity College Hartford, US)
22.214.171.124 (Linode, US)
126.96.36.199 (Codero, US)
The payload appears to be the Dridex banking trojan.