From: Alicia RamirezThere are a large number of these, with a ZIP file attached containing a malicious scripts with a typical detection rate of 3/56. In this sample Malwr analysis, it downloads a file from:
Date: 25 May 2016 at 14:22
Subject: Weekly report
Please find attached the Weekly report.
Castle (A.M.) & Co.
There will certainly be a LOT of other download locations. The dropped file GSKQtcnNu8MS.exe has a detection rate of 4/55 and that same VirusTotal report indicates C2 traffic to:
220.127.116.11 (Hetzner, Germany)
18.104.22.168 (PP SKS-LUGAN, Ukraine)
22.214.171.124 (Digital Ocean, US)
126.96.36.199 (OVH, France)
Even though other automated analysis failed   this time we have previously identified two of those IPs as being Locky ransomware, so there is little doubt that this will be more of the same.