From: Velma hodson
Date: 29 February 2016 at 16:49
Subject: Invoice #16051052/15
You are receiving this informational letter because of the fact that you have a debt totaling $157,54 due to late payment of invoices dating March ‘15.
In attachment you will find a reconciliation of the past 12 months (year 2015).
Please study the file and contact us immediately to learn what steps you should take to avoid the accrual of penalties.
I have only seen a single sample with an attachment named Invoice_ref-16051052.zip which in turn contains a malicious script invoice_kOUEsX.js that looks like this [pastebin]. The script has a VirusTotal detection rate of 2/55 and these automated analysis tools   show that it attempts to download a binary from the following locations:
The domain names have a similar theme, indicating that the servers are malicious. It migh be worth blocking:
220.127.116.11 (EuroNet, Poland)
18.104.22.168 (Eonix, US)
This Malwr report shows that the dropped payload is ransomware, calling home to the following domains:
I recommend that you block traffic to those domains plus the two IPs, giving a recommended blocklist of: