From: email@example.comI have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55.
Date: 30 November 2015 at 13:42
Subject: Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD
Please see enclosed Sales Invoice for your attention.
Regards from Accounts at James F Kidd
( email: firstname.lastname@example.org )
This Malwr report indicates that in this case there may be an error in the malicious macro [pastebin]. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan.
I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54 and 4/55. One of these two also produces an error when run.
The working attachment (according to this Malwr report and Hybrid Analysis report) downloads a malicious binary from:
This has a VirusTotal detection rate of 3/54. Automated analysis tools     show malicious traffic to:
18.104.22.168 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
22.214.171.124 (PT. Drupadi Prima, Indonesia)
126.96.36.199 (Agava Ltd, Russia)
188.8.131.52 (Elive Ltd, Ireland)
184.108.40.206 (Mauritius Telecom, Mauritius)
220.127.116.11 (Choopa LLC, Netherlands)
18.104.22.168 (FPT Telecom Company, Vietnam)
22.214.171.124 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
126.96.36.199 (Memset Ltd, UK)
188.8.131.52 (Etihad Atheeb Telecom Company, Saudi Arabia)
184.108.40.206 (TE Data, Egypt)
220.127.116.11 (Sibirskie Seti Novokuznetsk, Russia)
18.104.22.168 (M2 Telecommunications Group Ltd, Australia)
22.214.171.124 (Marosnet Telecommunication Company LLC, Russia)
126.96.36.199 (NWT a.s., Czech Republic)
188.8.131.52 (Wireless Business Solutions, South Africa)
184.108.40.206 (Uzinfocom, Uzbekistan)