From: Aimee Guy
Date: 5 December 2016 at 13:32
Subject: Please Consider This
Our accountants have noticed a mistake in the payment bill #DEC-5956047.
The full information regarding the mistake, and further recommendations are in the attached document.
Please confirm the amount and let us know if you have any questions.
Attached is a ZIP file with a name somewhat matching the reference in the email, containing a malicious VBS script with a filename made up in part of the date.
The scripts download another component from one of the following locations, according to my usual reliable source:
It drops a payload with an MD5 of 529789f27eb971ff822989a5247474ce and a current detection rate of just 1/54. The malware then phones home to the following locations:
184.108.40.206/information.cgi [hostname: smtp-server1.ru] (Miran, Russia)
220.127.116.11/information.cgi (EkaComp, Russia)
These IPs were also used in this earlier attack.