I just received one of these as well. They seem to get their targets by compromising a single user and then by monitoring the people who are viewing the same Google Docs as the infected victim had in the past.