Date: 11 December 2015 at 08:25
Subject: Invoice #66626337/BA2DEB0F
Our finance department has processed your payment, unfortunately it has been declined.
Please, double check the information provided in the invoice down below and confirm your details.
Thank you for understanding.
This behaviour can be seen in these automated reports  . The downloaded executable has a detection rate of 6/55 and an MD5 of 56214f61a768c64e003b68bae7d67cd2. This Malwr report gives a clearer indication of what the binary is doing, attempting to pull information from:
The screenshots indicate clearly that this is ransomware, specifically Teslacrypt.
Note that the soft2webextrain.com domain is on the same server as softextrain64.com seen yesterday, so 126.96.36.199 (CloudSol LLC, Russia) can be considered to be malicious.
I didn't spot originally that the "soft2webextrain.com" website is multhomed with another IP address on 188.8.131.52 which is an OVH IP allocated to a customer "Dmitry Shestakov" an which forms a small block of 184.108.40.206/30 which is probably also worth blocking.
I made an error with one of the IP addresses and specified 220.127.116.11 and it should have been 18.104.22.168.