From: Elfrida Wymer [WymerElfrida9172@recordshred.com]It's a bit of a self-fulfilling prophecy. If you are daft enough to download the ZIP file, and extract and run the script then perhaps you WILL get fired.
Date: 3 May 2016 at 12:40
Subject: You Are Fired BBF904D
We regret to inform you, yet we no longer need require your services.
Attached you can find additional information and the payout roll for the last month.
According to this Malwr report, the twice-obfuscated script in the sample I saw downloads a binary from:
This Hybrid Analysis indicates that this is Locky ransomware. The DeepViz report shows network traffic to:
220.127.116.11 (Petersburg Internet Network, Russia)
18.104.22.168 (Sobis, Russia)
22.214.171.124 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
This is a subset of the IPs found in this earlier spam run, I recommend you block the lot.