The subject is some variation of DOC / Document / document plus a number. There is a ZIP file attached with a name matching the subject, there is no body text.
Contained within the ZIP file is one of several different .js scripts. Trusted third-party analysis (you know who you are, thank you!) shows download locations at:
Detection rates for the dropped binary are 5/54. The malware phones home to the following IPs:
18.104.22.168 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
22.214.171.124 (ITL, Ukraine)
126.96.36.199 (ITL, Latvia)
188.8.131.52 (ITL, Bulgaria)