From "info" [email@example.com]Attached is a file Receipt.doc which I have seen in two different versions (VT detection rate 4/56 and 3/56) each containing a different malicious macro   [Pastebin] which download a malicious binary from one of the following locations:
Date Thu, 08 Oct 2015 12:39:28 +0300
Subject Receipt from Norfolk Dance
Please find receipt for payment attached.
14 Chapel Field North
Telephone: 01603 283399
E mail: firstname.lastname@example.org
This is saved as %TEMP%\fDe12.exe and currently has a VirusTotal detection rate of 4/55. The VirusTotal report indicates traffic to the following IP:
220.127.116.11 (Rackspace, US)
I recommend that you block traffic to this IP. Automated analysis is pending (check back later) but the payload is almost definitely the Dridex banking trojan.
The Hybrid Analysis report for the DOC file is here, and their analysis of the executable is available here with a Malwr report also here.