From: Janis Faulkner [FaulknerJanis8359@ono.com]
Date: 29 April 2016 at 11:13
Subject: Second Reminder - Unpaid Invoice
We wrote to you recently reminding you of the outstanding amount of $8212.88 for Invoice number #304667, but it appears to remain unpaid.
For details please check invoice attached to this mail
Chief Executive Officer - Food Packaging Company
Attached is a ZIP file with a name similar to unpaid_invoice551.zip which contains a randomly-named script. Oddly, most of the script appears to be text copy-and-pasted from the Avira website.
The scripts I have seen download slightly different binaries from the following locations:
VirusTotal detection rates are in the range of 8/56 to 10/56    . In addition to those reports, various automated analyses      show that this is Locky ransomware phoning home to:
220.127.116.11 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
18.104.22.168 (Park-web Ltd, Russia)
22.214.171.124 (Relink Ltd, Russia)
126.96.36.199 (Agava Ltd, Russia)
188.8.131.52 (Relink, Russia / OVH, France)
I strongly recommend that you block traffic to: