From: firstname.lastname@example.orgThe attachment is named 1630884720.doc which comes in at least two versions (VirusTotal analysis  ) and which contains a malicious macro like this [pastebin]).
Date: 19 November 2015 at 12:40
Subject: Your Google invoice is ready
Attached to this email, please find the following invoice:
Invoice number: 1630884720
Due date: 19-Nov-2015
Billing ID: 34979743806
Please follow instructions on the invoice for remitting payment. If you have questions, please contact email@example.com.
The Google Billing Team
Billing ID: 0349-7974-3806
Analysis of the documents is still pending (please check back), although the payload is almost definitely the Dridex banking trojan.
The Hybrid Analysis of the two documents   shows attempted downloads from the following locations:
bhairavraffia.com/8i65h4g53/o97i76u54.exe [file not found]
This binary has a detection rate of 1/54 and those reports indicate malicious network traffic to the familiar IP address of:
188.8.131.52 (Ministry of Education, Thailand)
I strongly recommend that you block traffic to that IP.