I received the email this morning and since I've been working out of this email account for my consulting gig, I thought it was probably fake but wanted to make sure. I loaded up a Windows 7 VM and then opened the doc and enabled content (macros) and it got busy. It spawned some new processes and launched several hidden cmd.exe processes. I killed it after that but wanted to see what it initially did and what the document did. The analysis at malwr.com doesn't seem to automate the enabling of macros.
The return address is firstname.lastname@example.org. The subject is Cancelled Automated Clearing House (ACH) transaction W4423096
The file downloads from a dropbox at: hxxps://www.dropbox.com/s/xnhkqx5kokcc7l7/ACH_transfer9839.doc?dl=1
Here is the malwr.com analysis: https://malwr.com/analysis/NjJmMWQyNzI3YjRiNDc1OTg1YTdkMzhmNGE5NWM1MTU/
Let me add that I am impressed with the word document itself. An average user would probably not know that the warning that opens up is the actually word document itself.
Edit: Grammar. Should have proof-read.
Edited by zerodamage, 21 April 2015 - 11:29 AM.