The subject is some variation of DOC / Document / document plus a number. There is a ZIP file attached with a name matching the subject, there is no body text.
Contained within the ZIP file is one of several different .js scripts. Trusted third-party analysis (you know who you are, thank you!) shows download locations at:
Detection rates for the dropped binary are 5/54. The malware phones home to the following IPs:
188.8.131.52 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
184.108.40.206 (ITL, Ukraine)
220.127.116.11 (ITL, Latvia)
18.104.22.168 (ITL, Bulgaria)