The following e-mail came through today:
From “email@example.com” <firstname.lastname@example.org>
Date Mon, Jan 26, 2015, 11:47 AM
Subject Berendsen UK Ltd Invoice 60020918 117
Please find attached your invoice dated 1st January.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.
Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604
Attached was “IRN001526_60020918_I_01_01.DOC” (VirusTotal Report – SHA256: 17b2a838cf97a51a957b4fdac872da5275099eafe51d9ef36e4ccd0807863cd6) with a passworded macro. When the macros are enabled it attempts to contact http://geninc.ca/js/bin.exe but the page is currently giving a 403 Forbidden so the infection fails.