From [email@example.com]Attached is a file Inv_26949_from_I__SPI_Ltd_7888.doc which actually comes in several different versions       which contains a malicious macro like this one [pastebin] that downloads an executable from one of the following locations:
Date Tue, 25 Aug 2015 20:37:09 +0800
Subject Invoice 26949 from I - SPI Ltd
This Hybrid Analysis report shows network traffic to:
126.96.36.199 (Hostpro Ltd, Ukraine)
This is the same bad IP as found in this earlier spam run, I recommend that you block it. The payload here is almost definitely the Dridex banking trojan.