From: Nicole RomanThe name of the sender varies. In the sample I looked at, the attachment was named after the recipient plus a random number, containing a randomly-named malicious .js script that looks like this
Date: 9 November 2016 at 10:44
Subject: Account temporarily suspended
You have exceeded the limit of operations on your credit card.
Thus, we have temporarily blocked your account.
The full itemization of transactions and instructions are given in the document attached to this message.
That particular script attempts to download a binary from one of the following locations (you can be sure there are others);
This Hybrid Analysis and this Malwr report show a DLL being dropped with an MD5 of f86d98b1a67952f290c550db1c0bdcbc and a detection rate of 9/56.
No C2 locations have been identified yet. I will post them here if I get them.