From "UUSCOTLAND" [UUSCOTLAND@uuplc.co.uk]So far I have seen three different versions of the attachment, all named 22 October 2015 Invoice Summary.doc with detection rates of about between 4/55 and 7/55 at VirusTotal    containing one of these malicious macros   .
Date Thu, 22 Oct 2015 19:30:13 +0700
Subject Water Services Invoice
I hope you are well.
Please find attached the water services invoice summary for the billing period of
22 September 2015 to 22 October 2015.
If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at email@example.com.
United Utilities Scotland
T: 0345 0726077 (26816)
EMGateway3.uuplc.co.uk made the following annotations
The information contained in this e-mail is intended only
for the individual to whom it is addressed. It may contain
legally privileged or confidential information or otherwise
be exempt from disclosure. If you have received this Message
in error or there are any problems, please notify the sender
immediately and delete the message from your computer. You
must not use, disclose, copy or alter this message for any
unauthorised purpose. Neither United Utilities Group PLC nor
any of its subsidiaries will be liable for any direct, special,
indirect or consequential damages as a result of any virus being
passed on, or arising from the alteration of the contents of
this message by a third party.
United Utilities Group PLC, Haweswater House, Lingley Mere
Business Park, Lingley Green Avenue, Great Sankey,
Warrington, WA5 3LP
Registered in England and Wales. Registered No 6559020
Analysis of the documents is pending, but one key indicator is that the file appears to be saved as %TEMP%\bluezone3.exe. Check back later for updates.
This VirusTotal report also identifies the following download locations:
This file has a VirusTotal detection rate of 2/54 and that report indicates network traffic to:
220.127.116.11 (Linode, US)
Further analysis is pending, in the meantime I suggest that you block traffic to the above IP.