From: email@example.comAttached is a Word document 123-reg-invoice.doc which contains a malicious macro [pastebin] and has a detection rate of 5/57. There may be several different versions of this macro, but the sample I saw downloaded a file from:
Date: 12 May 2015 at 10:17
Subject: Copy of your 123-reg invoice ( 123-015309323 )
Thank you for your order.
Please find attached to this email a receipt for this payment.
Help and support
If you are still stuck why not contact our support team? Simply visit our 123-reg Support Centre and click on the Ask a Question tab.
Thank you for choosing 123-reg.
The 123-reg team.
© Copyright 123-reg - Part of Webfusion Ltd
Webfusion Ltd is a company registered in England and Wales with company number 05306504. Our VAT number is 927 1292 22. The address of our registered office is: 5 Roundwood Avenue, Stockley Park, Uxbridge, Middlesex, UB11 1FF.
..which is saved as %TEMP%\ihmail4.1.0.exe and has a VirusTotal detection rate of 5/56. Automated analysis tools    show it phoning home to the following IPs:
188.8.131.52 (Internet-Hosting Ltd, Russia)
184.108.40.206 (Host Telecom Net, Russia)
220.127.116.11 (StarNet SRL, Moldova)
18.104.22.168 (Colobridge gmbh, Germany)
According to this Malwr report it also drops a Dridex DLL with a detection rate of 3/57.