From: Idris Mohammed [firstname.lastname@example.org]Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results  ). Automated analysis     shows the macro in these two documents downloading from:
Date: 9 March 2016 at 09:55
There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:
188.8.131.52 (Impsat, Argentina)
I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.
A contact sent some more download locations (thank you!)
..and also some additional C2s..
184.108.40.206 (NoTag Community / Hetzner, Germany)
220.127.116.11 (1&1, Germany)
18.104.22.168 (FHU Climax Rafal Kraj, Poland)