From: Frank.ClaraZO@pr-real.comAttached is a ZIP file with a name similar to Invoice 5044-032841.zip which in turn contains a malicious script named in a similar manner to invoice(677454).js which typically has a detection rate of 3/56. Hybrid Analysis of that sample shows the script creating a PFX (personal certificate) file which is then transformed into a PIF (executable) file using the certutil.exe application.
Date: 25 May 2016 at 11:34
Subject: The invoices from INCHCAPE PLC
Following the phone conversation with the accounting department represantatives I'm sending you the invoices.
Thank you for attention,
tel. (2045)/641493 54
> Sent from Iphone
This PIF file itself has a detection rate of 6/56 but automated analysis    is inconclusive. The behaviour is somewhat consistent with the Dridex banking trojan but may possibly be Locky ransomware.