From: Julianne PittmanThe names in each version of the email vary. Attached is a ZIP file with a filename containing some version of the recipients email address and the word "report" which contains in turn a malicious ZIP .js script beginning with the words "unpaid".
Date: 23 June 2016 at 09:48
Subject: Final version of the report
Patrica Ramirez asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Patrica know if you have any questions about the contents of the report.
Operations Director (CEO Designate)
The payload is not known at this time and analysis is pending, but is likely to be Locky ransomware similar to this.
Hybrid Analysis of three sample scripts    show three download locations (you can bet there will be many more):
Each one drops a slightly different binary (VirusTotal results   ) but at the moment automated analysis is inconclusive      . I will try to post the C2 servers here if I get them.
A trusted third party analysis shows the following download locations (thank you!) :
C2 servers are at:
22.214.171.124 (Rackspace, US)
126.96.36.199 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
188.8.131.52 (ITL, Ukraine)
184.108.40.206 (ITL, Latvia)
220.127.116.11 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
The malware uses the path /upload/_dispatch.php on the C2 servers.