From: Fletcher Oliver [email@example.com]
Date: 17 February 2016 at 06:23
Subject: Fwd:Accumsan Neque LLC Updated Invoice
Please check the bill in attachment. In order to avoid fine you have to pay in 12 hours.
Accumsan Neque LLC
Attached is a document Q7FX9ZH.doc with the distinctive text Attention! To view this document, please turn on the Edit mode and Macroses!
2/54. Hybrid Analysis   shows that the macro first downloads from:
This looks to be an unremarkable JPEG file..
steganography). A malicious VBS is created [pastebin] and a malicious EXE file is dropped with a VirusTotal result of 7/54.
Automated analysis of the dropped binary   shows that it phones home to:
126.96.36.199 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)
I strongly recommend that you block traffic to that IP. Payload is uncertain, but possibly the Dridex banking trojan.