"Duplicate Payment Received" spam has a malicious Word DOC attached

This email comes with a malicious Word document attached:

From:     Margery George
Date:     11 November 2014 11:50
Subject:     INV634746Q Duplicate Payment Received

Good afternoon,

I refer to the above invoice for which we received a bacs payment of £689.75 on 10th November 14.  Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.

I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details. 

If you have any queries regarding this matter, please do not hesitate to contact me.

I look forward to hearing from you .

Many thanks 

The reference number in the subject is randomly generated and is reflected in the filename (in this case De_634746Q.doc. There are two different variants I have seen with low detection rates at VirusTotal [1] [2]. These contain two slightly different malicious macros [1] [2] [pastebin] which download a file test.exe from one of the following locations:

http://62.76.180.133/get/get.php
http://62.76.189.108/get/get.php

Note that the IPs are very close, and both belong to Clodo-Cloud / IT House Ltd in Russia. The file is then copied to %TEMP%\NYHEFLJDPZR.exe which has a VirusTotal detection rate of just 1/53.

According to the Malwr report this malicious binary then connects to the following URLs:

http://178.254.57.146/6e@YL/Pjys_~ik/XTuG_XcFEWZpmmB%2C
http://213.140.115.29/G7uwLNQS7fpyGnLHM6qt.HlqA%7Ekp/$O%20FlsN%2C9%3FnC52/wmk.ka.JM%3D%7EpuQ8.I5.4S5
http://213.140.115.29/tUoRAgJ%3DK9V/iwrsseF9oo+z%2DO%2BpbMS/ZY%2BuPUzJI6
http://213.140.115.29/uf432orqHmh&ihs/%24p2z7El%3Fe6ea%2D%2Cxg8_zbu2$zF7t%26j$73sS%2B/%2B%3F3w%2Dh%3D

It also drops a malicious DLL identified which has some generic VirusTotal detection only, but is probably Cridex or Dridex.

Recommended blocklist:
178.254.57.146
213.140.115.29
62.76.180.133
62.76.189.108