From: firstname.lastname@example.orgThere is no body text, and the email appears to come from within the victim's own domain, but this is just a simple forgery.
Date: 14 January 2016 at 10:45
Subject: Message from local network scanner
Attached is a file Scann16011310150.docf which comes in at least five different versions (VirusTotal results     ). The file is a Word document, despite the extension.. I don't think anything opens DOCF files by default. This is maybe an error, or perhaps some sort of social engineering, or perhaps simply a way to bypass security filters.
Analysis of these documents is pending (check back later), however this is likely to be the Dridex banking trojan. Please check back.
Analysis is running slowing this morning, however this Hybrid Analysis shows one of the samples in action, downloading a binary from:
This has a detection rate of 3/55. That same analysis reports that it phones home to:
22.214.171.124 (PlusServer AG, France)
I strongly recommend that you block traffic to that IP.
These two Malwr reports   reveal some additional download locations: