From: Internal Revenue Service [email@example.com]
Date: 6 March 2015 at 08:48
Subject: Your 2015 Electronic IP Pin!
This is to inform you that our system has generated your new secured Electronic PIN to e-file your 2014 tax return.
Please kindly download the microsoft file to securely review it.
Internal Revenue Service
915 Second Avenue, MS W180
So far I have only seen a single sample of this with an attachment TaxReport(IP_PIN).doc - although there are usually several different versions. Currently this is undetected by AV vendors. This contains a malicious macro [pastebin] which downloads a component from the following location:
There are probably other download locations, but the payload will be the same. This is saved as %TEMP%\324235235.exe and has a detection rate of 1/55. Automated analysis tools   show attempted connections to:
22.214.171.124 (MWTV, Latvia)
126.96.36.199 (Digital Networks CJSC aka DINETHOSTING, Russia)
188.8.131.52 (Net3, US)
184.108.40.206 (OneGbits, Lithunia)
According to the Malwr report this executable drops another version of itself [VT 1/56] and a malicious DLL [VT 2/56].