From: Lorna trevor-roper [trevor-roperLorna54235@cable.net.co]So far I have seen three samples, with attachments named in the format Invoice_ref-30432839.zip containing a malicious script starting with invoice_ and then having some variable elements in it. These have detection rates of 3/55 or so    and which the Malwr reports    indicate attempt to GET a binary from one of the following locations:
Date: 3 March 2016 at 17:28
Subject: Order Delay - Package Ref. 30432839
The delay of your parcel ref. # 30432839 cannot be controlled due to the unstable weather conditions in our region.
We are doing everything we can to arrange the best shipping time for your package.
Please check the information on your purchase in the attached file. There your will also find the info on the new delivery time.
Sales Department Manager
3000 E Grand Ave,
Des Moines, IA 27222
Data is then POSTed to:
The VirusTotal reports for the dropped binary   indicate Ransomware, but those Malwr reports look more like the Dridex banking trojan. Either way it is Nothing Good.
The download locations are interesting, hosted on the following IPs:
220.127.116.11 (Sadecehosting, Turkey)
18.104.22.168 (Secure Dragon LLC, US)
The following domains are either hosted on these IPs or use them as namesevers. They all look highly suspect and worthy of futher analysis:
Smarter folks than I think this is Teslacrypt.