From [email@example.com]In the only sample I have seen so far, the attachment name is SKMBT_C36014102815580.doc which has a VirusTotal detection rate of 8/56. This particular document contains this malicious macro [pastebin] which downloads a malware component from the following location:
Date Mon, 12 Oct 2015 11:43:16 +0330
Please find attached insurance paperwork including EL certificate. Invoices
will follow at the beginning of November.
The usual pattern is that there are several different versions of the document downloading from different locations, but the payload is the same in all cases. This binary is saved as %TEMP%\gicage.exe and has a detection rate of 2/56.
That VirusTotal report and this Hybrid Analysis report show network traffic to:
18.104.22.168 (TransIP BV, Netherlands)
I strongly recommend that you block or monitor traffic to this IP. The payload is the Dridex banking trojan.