Malware spam: DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report

This spam email pretends to be from a wholly legitimate company called Datasharp UK Ltd but it isn't, it is a spoof. Datasharp is not sending the spam, their systems have not been compromised in any way.

From:    ebilling@datasharp.co
Date:    9 January 2015 at 06:55
Subject:    DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report

THIS MESSAGE WAS SENT AUTOMATICALLY

Attached is your Invoice from Datasharp Hosted Services for this month.

To view your bill please go to www.datasharp.co.uk.  Allow 24 hours before viewing this information.

For any queries relating to this bill, please contact hosted.services@datasharp.co.uk or call 01872 266644.

Please put your account number on your reply to prevent delays

Kind Regards
Ebilling 

So far I have seen two different Word documents attached with low detection rates at VirusTotal [1] [2] containing one of two malicious macros [1] [2] [pastebin] which then attempt to download an additional component from the following locations:

http://TICKLESTOOTSIES.COM/js/bin.exe
http://nubsjackbox.oboroduki.com/js/bin.exe

The tickletootsies.com download location has been cleaned up, but the other one is still working at it downloads a file with a VirusTotal detection rate of 5/56. That VirusTotal report also shows that it attempts to POST to 74.208.11.204:8080 (1&1, US) which has been a malware C&C server for several weeks and is definitely worth blocking.

UPDATE: the Malwr report shows connections to the following IPs which I recommend you block:
59.148.196.153
74.208.11.204