Date: 1 February 2016 at 12:11
Subject: Scanned image from firstname.lastname@example.org
Reply to: email@example.com [firstname.lastname@example.org]
Device Name: COPIER
Device Model: MX-2310U
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned document in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated to view the document.
I have seen two different versions of the attached document, named in a format email@example.com_20160129_084903.doc. The detection rate for both is 6/54   and the Malwr report for one of them shows the macro downloading from:
This executable has a detection rate of 4/53 and the Hybrid Analysis reports that it phones home to:
18.104.22.168 (System Projects LLC, Russia)
I strongly recommend that you block traffic to that IP. The payload is Dridex, as seen here.