From: aalabels [email@example.com]
Date: 2 February 2016 at 07:06
Subject: Order Dispatch: AA207241
Order Dispatch Confirmation
This email is to confirm that your order number AA207241 has been dispatched from our warehouse today and your order will be with you the following working day.
Your order has been dispatched via DPD and your order tracking number is 1160173211.
A VAT invoice for your order has been attached in pdf format for your reference.
Code Product Name Qty QS QB No of Packs
AAS021WTP Matt White - Permanent A4 Sheet Labels - 21 Rectangle - 63.5 mm x 38.1 mm 1000 1000 0 10
QS: Quantity Shipped
QB: Quantity Backed
If you need to contact us about this order then please call our customer care team on 01733 588 390 or email firstname.lastname@example.org
Thank you for your order.
23 Wainman Road
Phone: 01733 588390
Fax: 01733 425106
  ). These Malwr reports    show the macro in the documents downloading from one of the folllowing locations:
This binary has a detection rate of 5/52. That VirusTotal result and those Malwr reports show it phoning home to:
126.96.36.199 (Hostpro Ltd, Ukraine)
I would strongly recommend blocking traffic to that IP, or indeed you can probably block the entire 188.8.131.52/22 range will no ill effects.