From [email@example.com]I have only seen a single sample with an attachment document2016-02-09-103153.doc which has a VirusTotal detection rate of 5/54. Automated analysis   shows that it downloads a malicious executable from:
Date Tue, 09 Feb 2016 10:31:14 +0200
This has a detection rate of 5/54. Those analyses indicates that the malware phones home to:
126.96.36.199 (Rackspace, US)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.