From "Clare Harding" [firstname.lastname@example.org]Attached is a file Purchase Order 0000035394.doc which apparently comes in several different versions, although all the samples I saw had the same attachment with a VirusTotal detection rate of 5/55 and which contained this malicious macro [pastebin].
Date Fri, 30 Oct 2015 16:42:26 +0530
Subject Purchase Order 0000035394 customer 09221
Purchase Order 0000035394
Please find attached a copy of our order (reference 0000035394), your
If you have any questions regarding the purchase order please contact us
using the details below.
Carters Packaging Ltd, Packaging House, Wilson Way, Pool, Redruth, Cornwall,
Fax: +44 (0) 1209 315 600
Download locations for all the document versions (h/t to my source) are:
It looks like this is saved as %TEMP%\httsser.exe and it has a VirusTotal detection rate of 5/55. That VirusTotal report and this reverse.it report show that it generates network traffic to:
126.96.36.199 (Ho Chi Minh City Post and Telecom Company, Vietnam)
I strongly recommend that you block access to that IP. The payload appears to be the Dridex banking trojan.
Carters Packaging are on the ball and have put a big notice on their site, which is nice work.