This one looks very well targeted. The title, attachment and content of the e-mail look very genuine and as if it were a real bill.
From: CustomerServices@chesstelecom.com
Subject: Your latest Chess Bill Is Ready
Attachment: 2015-07-Bill.docmYour bill summary
Account number: 24583
Invoice Number: 2398485
Bill date: July 2015
Amount: £17.50
How can I view my bills?
Your Chess bill is ready and waiting for you online. To check out your detailed bill, previous bills and any charges you’ve incurred since your last bill, just sign into My Account http://www.chesstelecom.com/myaccount Forgotten your sign in details?If you’ve forgotten your sign in details, no problem, you can reset these by choosing http://www.chesstelecom.com/lost_password.
Making payments is easy!
If you want to make a credit or debit card payment you can do online by choosing http://www.chesstelecom.com/online_payment
You don’t need to do anything if you pay by direct debit, we will collect your payment automatically on or after 30th June. If you pay by cheque, details of how to pay us are available on the invoice.
Switch to Direct Debit today and you’ll save at least £60.00 a year, simply call our dedicated team on 0844 770 6060.
Anything else you’d like to know?Why not visit our support section at http://www.chesstelecom.com/support.
This e-mail has been sent from a Mailbox belonging to Chess Telecom, registered office Bridgford House, Heyes Lane, Alderley Edge, Cheshire, SK9 7JP.
Registered in England, number 2797895. Its contents are confidential to the intended recipient.
If you receive in error, please notify Chess Telecom on
+44 (0)800 019 8900 immediately quoting the name of the sender, the
address to which it has been sent and then delete it; you may not rely on its contents nor copy/disclose it to anyone.
Opinions, conclusions and statements
of intent in this email are those of the sender and will not bind Chess Telecom unless confirmed by an authorised representative independently of this message.
We do not accept responsibility for viruses; you must scan for these.
Please
note that emails sent to and from Chess Telecom are routinely monitored for record keeping, quality control and training purposes, to ensure regulatory compliance and to prevent viruses and unauthorised use of our computer systems.
Thank you for your co-operation.Quotations are subject to terms and conditions, exclude VAT and are subject to site survey.
E&OE
Needless to say my investigations prove it is a bit of junk. The message I was sent came from a server in Italy and the attachment is blank apart from a macro.
SHA256 99313f05213cdc82bf15abfe4120711e4ac7ea1d8da19e7c1a31e1114eb1d1c6
VirusTotal Report
As per my previous recommendations.. I would block .docm files at your e-mail gateway.
When the .docm is run with Macros enabled it made a request to:
http://delthom.eu.com/4tf33w/w4t453.exe
SHA256 a34e7b8cb971705966e4b260d0936cf17d36f4542bce5f870284321f322901a5
VirusTotal Report
It copied itself to C:\Users\User\AppData\Local\G4E0zMlT\jYZrTrYu.exe and then ran. The last two sections are probably randomly generated.
The payload then started communicating with:
The certificate for the communications was only generated “31 July 2015 10:26:41” so within the last couple of hours of me researching.
Thumbprint: 333e215f805480e6de39231b96fe6a64e9611a22
The certificate also contains interesting words which might link it with an earlier interesting certificate run.
CN = anithwereor.uk
OU = obamacare
O = democracy
L = Houston
S = TX
C = US
Another CnC server seen was:
https://95.163.121.252/
This server has a certificate generated slightly earlier “31 July 2015 10:18:52”
Thumbprint: 68f0a2ef0a7eadc2e055203327309ba7abdb8b61
With CN = trtheawa.ml but the same obamacare OU and address.
thecomputerperson 
Pingback: More docm spam “E-bill : 6200228913 – 31.07.2015 – 0018″ | thecomputerperson
Pingback: “IMPORTANT – Document From Ofcom Spectrum Licensing” docm virus spam | thecomputerperson
Pingback: “Booking Confirmation – Accumentia (16/9/15)” .doc macro attachment virus | thecomputerperson