"This email contains an invoice file attachment" spam contains poorly-detected malware

This fake invoice spam has a malicious Word document attached.

From:     Brittney Spencer , Customer service [Fitzgerald.79f7@host-77-242-217-170.telecomitalia.sm]
Date:     22 October 2014 12:46
Subject:     Reference:ZHO904856SU

 This email contains an invoice file attachment ID:ZHO904856SU



Thanks!

Brittney Spencer .

In this case the attachment was ZHO904856SU.doc which contains a malicious macro, however at the moment the document is showing a VirusTotal detection rate of 0/54.

Attempting to open the document gives the following message:

You didn't enable macros.
Content cant be visible.

..along with an embedded image to tell you how to turn macros off.

If the victim does this, then this malicious macro [pastebin] runs and downloads an executable from http://162.243.234.167:8080/gr/4.exe which has a VirusTotal detection rate of just 1/53.

The Malwr analysis shows this binary posting data to: http://178.250.243.114/IArej7rcO/@HPZ8A5aPU_W/

The 178.250.243.114 IP address is allocated to MajorDomo LLC, Russia. The executable also drops a malicious DLL using the name 2.tmp which also has a VirusTotal detection rate of 0/54.