From "Norwich Camping" [firstname.lastname@example.org]Attached is a file invoice-2425.doc of which I have only seen a single sample so far with a VirusTotal detection rate of 5/55. The document contains this malicious macro [pastebin] which apparently downloads a malicious binary to %TEMP%\|ZipCock32.exe
Date Mon, 26 Oct 2015 13:43:14 +0430
Subject #NC-242455-Zmj Your Norwich Camping Order has shipped!
You Norwich Camping & Leisure order "#NC-242455-Zmj" has now been shipped. Your chosen
payment method has now been charged.
The Norwich Camping & Leisure
Analysis of the document and the payload is pending (please check back later), it is most likely that it downloads the Dridex banking trojan.
According to this Hybrid Analysis report version of the malicious document downloads an executable from:
This has a VirusTotal detection rate of 5/55. That report indicates malicious traffic to:
18.104.22.168 (Online SAS / Iliad Entreprises / Poney Telecom, France)
I recommend that you block traffic to that IP.