Date: 28 October 2015 at 08:57
Subject: Thank you for your order
IKEA UNITED KINGDOM
To print, right click and select print or use keys Ctrl and P.
Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
ParcelforceWe will confirm your delivery date by text,email or telephone within 72 hrs.
8:31am GMTOrder/Invoice date:
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Attached is a file IKEA receipt 607656390.doc which contains this malicious macro and which has a VirusTotal detection rate of 4/55.
Analysis of the document and whatever it downloads is pending, but this is likely to be the Dridex banking trojan.
The reverse.it analysis of the first sample shows a download from:
This dropped binary has a detection rate of just 2/55.
Two further samples have now been seen (VT results  ) and according to the analysis of one them, it downloads from:
Analysis of the dropped binary is pending. Please check back shortly.
A further reverse.it analysis shows another download location of:
The reverse.it analysis of the dropped binary is inconclusive.
According to sources clever than I, this doesn't appear to be Dridex at all, but Neutrino Bot / Kasidet which downloads the Shifu banking trojan in the UK.