Subject: Message from KONICA_MINOLTAThe spam appears to come from within the victim's own domain, from one of the following email addresses:
Subject: Message from MFD
Subject: Message from scanner
MFD@victimdomain.tldThis is just a simple forgery. It doesn't mean that you organisation has been compromised.. it really is a very simple trick. In all cases the attachment is named SKM_4050151222162800.doc, which appears to come in three versions (VirusTotal   ). The Malwr reports    indicate executable download locations at:
This binary has a detection rate of 1/54 and that VirusTotal report plus this Malwr report show it phoning home to:
18.104.22.168 (Digital Ocean Inc., US)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, sent by botnet 220.