From: Rueben Vazquez
Date: 31 August 2016 at 10:06
Subject: bank transactions
Good morning petrol.
Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.
According to the Malwr report of these three samples    the (very sweary) scripts download from these following locations (there are probably more):
Each one of those samples drops a different DLL with detection rates of 8/57 or so    and according to the Hybrid Analsis reports    these phone home to:
22.214.171.124/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
126.96.36.199/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.8.131.52/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
184.108.40.206/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [220.127.116.11] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably the Locky ransomware.