From: Melisa Keller
Date: 9 March 2016 at 12:08
Subject: FW: Invoice 2016-M#111812
Please find attached 2 invoices for processing.
This email has been scanned by the Symantec Email Security.cloud service.
Attached is a file with a name similar to Payment_2016_March_111812.zip which contains two scripts, which in the samples I have seen all start with "see_it" or "problem". These malicious scripts all have low detection rates      . The Malwr reports for those samples       show that the scripts download a binary from:
Only two of the download locations work, dropping binaries with a detection rate of 5/55  . Note that there may be other download locations.
The Malwr reports indicate that the malware phones home to:
18.104.22.168 (PS Internet Company LLC, Kazakhstan)
22.214.171.124 (EDIS, Italy)
The payload is the Locky ransomware.
I received the following information from another source (thank you)
Additional download locations:
126.96.36.199 (PE Astakhov Pavel Viktorovich, Ukraine)
188.8.131.52 (EDIS, Netherlands)
184.108.40.206 (EDIS, Spain)