From: email@example.comSo far I have seen two different Word documents attached with low detection rates at VirusTotal   containing one of two malicious macros   [pastebin] which then attempt to download an additional component from the following locations:
Date: 9 January 2015 at 06:55
Subject: DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report
THIS MESSAGE WAS SENT AUTOMATICALLY
Attached is your Invoice from Datasharp Hosted Services for this month.
To view your bill please go to www.datasharp.co.uk. Allow 24 hours before viewing this information.
For any queries relating to this bill, please contact firstname.lastname@example.org or call 01872 266644.
Please put your account number on your reply to prevent delays
The tickletootsies.com download location has been cleaned up, but the other one is still working at it downloads a file with a VirusTotal detection rate of 5/56. That VirusTotal report also shows that it attempts to POST to 220.127.116.11:8080 (1&1, US) which has been a malware C&C server for several weeks and is definitely worth blocking.
UPDATE: the Malwr report shows connections to the following IPs which I recommend you block: