from: Alan CaseOther names and job titles seen include:
date: 15 January 2015 at 08:49
subject: Payment request of 4176.94 (14 JAN 2015)
Sub: Remitance of GBP 4176.94
This is with reference to the above, we request you to kindly remit GBP 4176.94 in favor of our bank account.
For more information on our bank details please refer to the attached document.
Alan Case Remittance Manager
Senior Accounts Payable
The payment amount, name and job title change in each spam, as does the name of the attachment (although this following the format ADV0000XX). There are three malicious Word documents that I have seen, each with a low detection rate at VirusTotal    which in turn contain a slightly different macro    which attempt to download another component from one of the following locations:
Note the two adjacent IPs of 126.96.36.199 and 188.8.131.52 which belong to Digital Networks CJSC in Russia (aka DINETHOSTING), an IP range of 184.108.40.206/18 that I would recommend you consider blocking. 220.127.116.11 is a Hetzner IP.
The macro downloads a file g08.exe from these locations which is then saved as %TEMP%\UGvdfg.exe. This has a VirusTotal detection rate of 4/57. That VT report also shows the malware attempting to POST to 18.104.22.168:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known bad IP.
The Malwr report is inconclusive, but this exectuable probably drops a Dridex DLL.
UPDATE: the following are Dridex C&C servers which you should also block: