From "PHSOnline" [email@example.com]I don't have a copy of the body text for these messages, but the attachment is named G-A0287580036267754265.doc which comes in three different versions (VT results   ) containing a macro like this [pastebin] which downloads a malicious binary from one of the following locations:
Date Mon, 26 Oct 2015 20:28:50 +0700
Subject Your new PHS documents are attached
The Hybrid Analysis reports those those documents are here:   . The file is saved as %TEMP%\ZipCock32.exe and this has VirusTotal detection rate of just 1/55. The Hybrid Analysis report for this binary shows it downloading from the following location:
188.8.131.52 (Online SAS / Iliad Entreprises / Poney Telecom, France)
This is almost definitely the Dridex banking trojan. Note that the documents and download locations appear to be the same as the one use in this earlier attack, but the payload has now changed.