From: firstname.lastname@example.orgThe link in the email actually goes to a page at reg.vn/en/view_bill.php?id=encoded-email-address (where the last part is the email address in Base 64 encoding). It downloads a malicious document lgm_bill69290.doc with a current detection rate of 8/55.
Date: 21 November 2016 at 18:35
Subject: Your LogMein.com subscription has expired!
You are receiving this message because your subscription for LogMeIn Central has expired.
We were not able to charge you with the due amount because your credit card was declined.
You can download the bill directly from the LogMeIn website:
Please use another credit card or payment method in order to avoid complete service interruption.
Event type: Credit Card Declined
Account email: [redacted].
If you need more help, visit LogMeIn Support at:
Important Security Notice:
LogMeIn will never for your password or other sensitive information by email.
(Please don't reply to this email, as it's sent from an address that's not monitored.)
© LogMeIn Inc
Automated analysis   shows malicious network traffic to and from:
A malicious executable is dropped with a detection rate of 7/57. The payload appears to be Hancitor / Vawtrak.
The domain secure-lgm.com appears to have been created for the purposes of sending the email. The probably fake WHOIS details are:
Registrant Name: Nikolay Vazov
Registrant Organization: NA
Registrant Street: 106 Vitosha Blvd.
Registrant City: Sofia
Registrant State/Province: Sofia
Registrant Postal Code: 1463
Registrant Country: bg
Registrant Phone: +359.28058181
Registrant Phone Ext:
Registrant Fax: +359.28058787
Registrant Fax Ext:
Registrant Email: email@example.com