These are being sent out in huge numbers at the moment. Details vary from message to message, but the body text is essentially the same. Attached is a ZIP file containing the words addition, invoice or services plus the recipients email address and a number (e.g. lisa_addition_278292.zip) containing a malicious script beginning with the word "addition".
From: Lilian Fletcher
Date: 21 June 2016 at 20:01
Please find attached our invoice for services rendered and additional disbursements in the above-
Hoping the above to your satisfaction, we remain.
Head of Maintenance
A trusted third-party analysis (thank you, you know who you are) shows download locations at:
Analysis by those parties shows that it phones home to:
220.127.116.11 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
18.104.22.168 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
22.214.171.124 (ITL, Bulgaria)
126.96.36.199 (ITL, Ukraine)
As I mentioned before, this is Locky ransomware which has not been circulating at all since about 31st May.