From: June Rojas [RojasJune95@myfairpoint.net]Other versions of this spam may come from other corporations. In the single sample I have seen there is an attached file invoice_J-06593788.doc which has a VirusTotal detection rate of 5/54. Analysis is pending, however this is likely to be the Dridex banking trojan.
Date: 16 February 2016 at 09:34
Subject: ATTN: Invoice J-06593788
Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.
Let us know if you have any questions.
We greatly appreciate your business!
Apache Corporation www.apachecorp.com
This Dridex run exhibits a change in behaviour from previous ones. I acquired three samples of the spam run and ran the Hybrid Analysis report on them    and it shows that the macro dowloads from one of the following locations:
Curiously, the binary downloaded from each location is different, with the following MD5s:
Each one phones home to a different location, the ones I have identified are:
220.127.116.11 (McHost.ru, Russia)
18.104.22.168 (One Telecom SRL, Moldova)
22.214.171.124 (Ukrainian Internet Names Center, Ukraine)
There may be other samples with other behaviour.
It is possible that this is dropping ransomware, not Dridex. One other download location identified here:
This one has an MD5 of:
Detection rate is 5/53 but I do not yet know where this phones home to.
That last sample phones home to:
126.96.36.199 (PE Astakhov Pavel Viktorovich, Ukraine)
according to this Hybrid Analysis.
It appears that this is dropping some ransomware called "Locky" apparently by the makers of Dridex, according to this.