From [firstname.lastname@example.org]Attached is a file Document from AL-KO-01.doc which probably comes in many different versions, but I've only had the chance to run two through analysis. Both are undetected by any AV vendor   at present. The structure of the document seems unusual and I am having some difficulties seeing the malicious macros, but these two Hybrid Analysis reports   show the macro in action, downloading from:
Date Thu, 05 Nov 2015 16:33:40 +0530
Subject Document from AL-KO
This document is DOC created by Osiris OSFAX(R) V3.5.
It can be viewed and printed with Microsoft Word(R)
Document from AL-KO.doc
There will be other locations too, all downloading the same binary with a detection rate of 4/54 (MD5 39f7827813ac9bc74a4a9176c9e80487) Other automated analyses   show network traffic to:
188.8.131.52 (Digital Ocean, Singapore)
184.108.40.206 (Cablevision, US)
The payload appears to be the Dridex banking trojan.