From Dawn Salter [email@example.com]
Date Wed, 27 Jan 2016 19:04:27 +0530
Subject Invoice 9210
I hope all is good with you.
Please see attached invoice 9210.
+44 (0)1252 616000 / +44 (0)1252 622722
+44 (0)1252 916494
1 Blue Prior Business Park, Church Crookham, Fleet, Hants, GU52 0RJ
[BPMA Chartered Supplier]
DISCLAIMER: This e-mail and attachments are confidential and are intended solely
for the use of the individual to whom it is addressed. Any views or opinions presented
are solely those of the author and do not necessarily represent those of MRS Web
Solutions Limited. If you are not the intended recipient, be advised that you have
received this e-mail in error and that any use, dissemination, forwarding, printing,
or copying of this e-mail is strictly prohibited. If this transmission is received
in error please notify the sender immediately and delete this message from your e-mail
system. All electronic transmissions to and from MRS Web Solutions Ltd are recorded
and may be monitored.Company Registered in England No. 3900283. VAT GB733622153.
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
The attachment is named 9210.doc which I have seen come in three versions (VirusTotal   ). The Malwr reports for those    shows executable download locations at:
This binary has a detection rate of 1/53 and an MD5 of 9c8b2d84665aeedc1368e9951c07a469. Hybrid Analysis of the binary shows that it phones home to:
126.96.36.199 (Loxley Wireless Co. Ltd., Thailand)
This is the same IP as seen in this earlier spam run, I recommend you block it.