From [firstname.lastname@example.org]The samples I saw had no body text and an attachment PaymentReceipt.xml [VT 5/55] which is an XML file [pastebin] with a Base64 encoded section which magically transforms into a malicious Word macro.
Date Wed, 22 Jul 2015 19:26:51 +0700
Subject Payment Receipt
This macro downloads a malicious binary from:
Other versions of the attachment may download the same binary from different locations. This is saved as %TEMP%\mikapolne.exe and has a VirusTotal detection rate of 26/55. Automated analysis    shows it communicating with:
126.96.36.199 (Reg.Ru, Russia)
This IP has been in use in this other campaign today and is well worth blocking.