From: Tonia Graves [GravesTonia8279@ikom.rs]There sender's name and the reference numbers change in each version. Attached is a file copy_invoice_11004118.zip which in turn contains a malicious script [VT 5/54] which in the sample I investigated was named invoice_iU9A2Y.js. When deofuscated it looks like this.
Date: 9 December 2015 at 14:50
Subject: Your order #11004118 - Corresponding Invoice #B478192D
Dear Valued Customer,
We are pleased to inform you that your order #11004118 has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
We would highly appreciate if you sent your payment promptly. For your information, don't hesitate to check the invoice enclosed to this letter or contact us directly.
In case if you have already sent your payment, please disregards this letter and kindly allow us up to 3 business days to clear the incoming payment.
We look forward to your remittance and will the dispatch the goods.
Thank you for choosing our services we sincerely hope to continue doing business with you again.
Sales Department Manager
2715 Sycamore Road
Nyssa, OR 97913
The Malwr report for that script shows it downloading from:
The script itself shows an alternate location of:
This has a VirusTotal detection rate of 3/55. A Malwr report on just the executable plus this Hybrid Analysis report shows it connecting to:
It also tries to identify the IP address of the host by connecting to http://myexternalip.com/raw which is a benign service that you might consider to be a good indicator of compromise.
You can see in the screenshots of that Malwr report that this is ransomware, specifically Teslacrypt.