"Sue Morckage" / "This email contains an invoice file attachment" spam

This fake invoice spam (all pretending to be from someone called Sue Morckage) comes with a malicious Word macro attachment.

From:     Sue Morckage
Date:     7 November 2014 13:10
Subject:     inovice 9232088 November

This email contains an invoice file attachment

The number in the subject is random, and attached is a document with the same format name (in this example invoice_9232088.doc). So far I have seen two attachments both with VT detection rates of 4/54 [1] [2] [Malwr report] which contains one of two malicious macros [1] [2] which then go and download a binary from one of the following locations:

http://ksiadzrobak.cba.pl/bin.exe
http://heartgate.de/bin.exe

This binary gets copied into %TEMP%\AKETVJIJPZE.exe and it has a VirusTotal detection rate of just 1/54, but so far automated analysis tools [1] [2] [3] are inconclusive as to what this does, however the payload is likely to be Cridex.