From: Idris Mohammed [firstname.lastname@example.org]Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results  ). Automated analysis     shows the macro in these two documents downloading from:
Date: 9 March 2016 at 09:55
There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:
220.127.116.11 (Impsat, Argentina)
I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.
A contact sent some more download locations (thank you!)
..and also some additional C2s..
18.104.22.168 (NoTag Community / Hetzner, Germany)
22.214.171.124 (1&1, Germany)
126.96.36.199 (FHU Climax Rafal Kraj, Poland)