From "Stephanie Greaves" [firstname.lastname@example.org]Attached is a file COS007202.doc which comes in at least three different versions (VT results   ) each containing a slightly different malicious macro    [pastebin].
Date Mon, 19 Oct 2015 12:06:42 +0430
Please see attached purchase order.
Bombardier Transportation (Rolling Stock) UK Ltd
Electronics, Cabling, & Interior Division
Litchurch Lane, Derby, DE24 8AD
Analysis of the documents is pending, but they will almost definitely drop the Dridex banking trojan. Please check back later.
According to these Hybrid Analysis reports    , those macros download from the following locations:
The binary they download has a VirusTotal detection rate of 3/56 and is saved as %TEMP%\CrowSoft1.exe. Both the VirusTotal and Hybrid Analysis reports show what looks like malicious traffic going to:
126.96.36.199 (Trinity College Hartford, US)
I recommend that you block traffic to that IP.