The example I saw read:
From: Mitchel LevyThe link in the email has an address using the domain afinanceei.com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example:
Date: 8 April 2015 at 13:45
Subject: Invoice from MOTHERCARE
Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.
Download your invoice here.
Thanks for attention. We appreciate your business.
If you have any queries, please do not hesitate to contact us.
Mitchel Levy, MOTHERCARE
This is hosted on 184.108.40.206 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:
At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http://220.127.116.11/api/ shows a fake page pretending to be from Australian retailer Kogan.
As you might guess, Invoice.xls contains a malicious macro [pastebin] but the real action is some data hidden in the spreadsheet itself:
That's pretty easy to decode, and it instructs the computer to download a malicious binary from:
This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 18.104.22.168 is another Russian IP, this time EuroByte LLC.
This binary has a VirusTotal detection rate of 6/57. Automated analysis tools     show it communicating with the following IPs:
22.214.171.124 (VNET a.s., Bulgaria)
126.96.36.199 (Telefonica, Spain)
188.8.131.52 (Universidad Complutense De Madrid, Spain)
184.108.40.206 (Synaptica, Canada)
220.127.116.11 (Nowonwoman, Korea)
18.104.22.168 (Leaseweb, Germany)
22.214.171.124 (iomart, UK)
126.96.36.199 (Choopa LLC, US)
188.8.131.52 (Hathway, India)
184.108.40.206 (Choopa LLC, Canada)
In addition there are some Akamai IPs which look benign:
According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack.
There is at least one other server at 220.127.116.11 (Digital Networks CJSC aka DINETHOSTING, Russia) being used as a location to click through to (I recommend you block the entire 18.104.22.168/24 range). Between those two servers I can see the domains listed below in use. I suspect that there are others given the limited alphabetic range