Date: 10 August 2015 at 07:59
Subject: Your order 10232 from Create Blinds Online: Paid
We would like to thank you for your recent order.
Order Status updated on: 10/08/2015
Your Customer ID: 1761
Your Order ID: 10232
Invoice Number: 10232
We received your order and payment on Aug/102015
Your order details are attached:
Create Blinds Online Team
This electronic message contains information from Create Blinds Online which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately.
Attached is a file invoice-10232.doc which comes in at least two different variants   containing a macro that looks like this [pastebin]. This attempts to download a malicious binary from one of the following locations:
The VirusTotal detection rate for this is 3/55. The Malwr report and Hybrid Analysis reports show that it generates traffic to 18.104.22.168 (Hetzner, Germany). The payload is almost definitely the Dridex banking trojan.