Date: 1 February 2016 at 12:11
Subject: Scanned image from email@example.com
Reply to: firstname.lastname@example.org [email@example.com]
Device Name: COPIER
Device Model: MX-2310U
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned document in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated to view the document.
I have seen two different versions of the attached document, named in a format firstname.lastname@example.org_20160129_084903.doc. The detection rate for both is 6/54   and the Malwr report for one of them shows the macro downloading from:
This executable has a detection rate of 4/53 and the Hybrid Analysis reports that it phones home to:
220.127.116.11 (System Projects LLC, Russia)
I strongly recommend that you block traffic to that IP. The payload is Dridex, as seen here.