From: Valarie Davenport
Date: 2 December 2015 at 11:59
Subject: November Invoice #60132748
Please review the attached copy of your Electronic document.
A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.
Thank you for your business.
Attached is a file invoice_60132748.zip which contains a malicious obfuscated script INVOICE_main_BD3847636213.js [Pastebin obfuscated / deobfuscated] and this downloads a malicious file from:
It also tries to contact 188.8.131.52, but this times out. An attempt to download from bestsurfinglessons.com comes up with a 404 error.
The Malwr report and Hybrid Analysis indicates that this communicates with the following compromised domains:
Both those reports indicate that this is the Teslacrypt ransomware.
Furthermore, the Hybrid Analysis report also shows other traffic to: