The Internet Storm Center warms of a new malicious spam attack wave that appears to be a billing statement during this season of high e-commerce activity:

https://isc.sans.edu/forums/diary/Malicious+spam+Subject+RE+Bill/20417/

Earlier today (Wednesday 2015-11-25), one of our readers notified the ISC of malicious spam (malspam) with a Word document designed to infect a Windows computer with malware.  I found examples of the malspam and looked into it.  Word documents from this particular campaign will download Pony malware to infect a Windows computer with Vawtrak.  This malspam was blocked by our spam filters, but others might see it, so I’m posting the information in a diary.   The emails spoof your company name (or whatever domain you’re using for your email address), and they have a Microsoft Word document as an attachment.  The one’s I’ve found have all been plain-text.

From: “accounting@[your company].com”
 Reply-To: “accounting@[your company].com”
 Date: Wednesday, 2015-11-25 at 09:37 CDT
 To: [your email address]
 Subject: Re: bill

This bill just came through and it has your name on it.
 What is this about?


 Este email está livre de vírus e malware porque a proteção avast! Antivirus está ativa.
 https://www.avast.com/antivirus

Attachment: Bill.doc

The messages all have a notification at the bottom stating “This email is free of viruses and malware protection because the Avast! Antivirus is active.”  These antivirus messages were all in different languages, based on the host these emails were sent from.