From: Accounts Finchley [firstname.lastname@example.org]The domain nazarethcare.com forwards to the Sisters of Nazereth. None of these organisations is actually sending the spam, their systems have not been compromised in any way. The "from" field in an email is trivially easy to fake, as it looks like the body text may have been stolen from a compromised mailbox.
Date: 11 November 2014 10:34
Subject: Bank Payments
Good Afternoon,Paying in sheet attachedRegardsSandra WhitmoreCare Home AdministratorNazareth House162 East End RoadEast FinchleyLondonN2 ORUTel:02088831104Fax:02084443691Nazareth Care Charitable Trust- Registered Office – Larmenier Centre, 162 East End Road, London N2 ORURegistered Charity – England & Wales – 1113666, Scotland – SCO42374Registered Company registered in England & Wales – Company Number 05518564The contents of this message are for the attention and use of the named addressee(s) only. It, and any files transmitted with it, may be legally privileged or prohibited from disclosure or unauthorised use. If you are not an intended recipient or addressee, any form of reproduction, dissemination, copying, disclosure, modification, distribution or publication is prohibited and may be unlawful and the sender will accept no liability for any action taken or omitted to be taken in reliance upon this message or its attachments.Whilst all efforts are made to safeguard inbound and outbound e-mails, no guarantee can be given that attachments are virus-free or compatible with your systems, and we do not accept any liability in respect of viruses or computer problems experienced.Any views expressed in this message are those of the individual sender, and do not necessarily represent those of the Sisters of Nazareth.
Attached is a file 2014_11_07_14_09_19.doc which comes in two versions both with low VirusTotal detection rates  . If macros are enabled then one of two macros   [pastebin] which then downloads a file from one of the following locations:
This file gets copied to %TEMP%\HZLAFFLTDDO.exe and it has a VirusTotal detection rate of 3/53. The Malwr report shows it phoning home to:
It also drops a DLL identified by VirusTotal as Dridex.