From: Sales [email@example.com]Attached is a Word document named Invoice 1195288 from EXB (UK) Limited.doc which comes in at least three different versions (VirusTotal results   ) and which contain a complex macro [pastebin] that fails to run in automated analysis tools      .
Date: 8 December 2015 at 12:03
Subject: EXB (UK) Ltd Invoice
Please find attached our invoice, Thank you for your order
EXB (UK) Ltd
The payload (if it works) is likely to be the Dridex banking trojan.
According to the comments on this post plus some other sources, the macros in these documents download from:
That payload is identical to the one found in this earlier spam run.