From: firstname.lastname@example.orgThe only sample I have seen of this is badly mangled and required some work to extract and decode the attachment invoice-1501383360.doc which has a VirusTotal detection rate of 3/57. This contains a malicious macro [pastebin] which downloads a component from the following location:
Date: 27 April 2015 at 08:55
Subject:  Booking.com Invoice 01/03/2015 - 31/03/2015
Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.
If you have any questions, please contact our Credit Control Department at telephone number
+44 (0)208 612 8210 (e-mail: ).
Thank you for working with Booking.com.
There are probably other slightly different versions of the Word document that download from different locations, however the binary will be the same. This malicious executable is saved as %TEMP%\zigma2.5.exe and has a VirusTotal detection rate of 2/57.
Automated analysis tools    show an attempted network connection to:
22.214.171.124 (RuWeb CJSC, Russia)
According to the Malwr report it also drops a malicious Dridex DLL with a detection rate of 4/57.