From: richard will [email@example.com]
Date: 28 April 2015 at 09:05
Subject: INVOICE PD Will Comm
Thank-you for your payment!
Will Communications, Inc.
The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56 and it contains this malicious macro [pastebin]. In this case, the macro downloads a component from:
..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53. There may well be other documents that download from other locations, but the binary will be the same in all cases.
Automated analysis tools    show that it attempts to communicate with the following IP:
220.127.116.11 (RuWeb CJSC, Russia)
According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56.