From: Natalie [mailto:firstname.lastname@example.org]In the sample that I received, the attachment was named Inv_300846161_from_Living_W.doc which has a VirusTotal detection rate of 1/55. This contains a malicious macro [pastebin] which downloads a file from the following location:
Sent: Wednesday, April 15, 2015 9:43 AM
Subject: Invoice from Living Water
Dear Customer :
Your invoice is attached. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
0203 139 9051
There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currecntly has a detection rate of 6/57. Automated analysis tools    show attempted connections to the following IPs:
220.127.116.11 (StarNet, Moldova)
18.104.22.168 (TheFirst-RU, Russia)
22.214.171.124 (Reg.Ru Hosting, Russia)
According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57.