From: Ellen thorp
Date: 7 March 2016 at 07:08
Subject: Order Confirmation - Payment Successful, Ref. 81096454
Thank you for your transaction of $477,84. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.
We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.
Double check please the document enclosed to this email.
Thank you for your order and we hope to see you again as our customer.
95 N Forks Ave,
Forks, WA 30212
Attached is a randomly-named ZIP file in the format Invoice_ref-81096454.zip which contains a further malicious script file beginning with invoice_, invoice_copy or invoice_SCAN. Detection rates for these vary      . These Hybrid Analysis reports on three of the samples    show the script download a malicious binary from:
At the moment, those domains don't seem to be resolving, but if you replace the domains with the IP addresses then it will work. The sites are hosted on the following servers:
184.108.40.206 (OVH, France)
220.127.116.11 (Multacom Corporation, US)
The 69.exe and 80.exe files are actually different, both have a detection rate of 4/54  . Analysis of these files     indicates behaviour consistent with ransomware, and these binaries attempt to phone home to the following domains:
The two IPs specified as binary download locations have hosted a number of other evil sites: