Subject: Financial documentsSender names will probably vary. In the sample I saw there was an attachment named fin_docs_f73856f4.zip containing a malicious script NRV_A194008F_.vbs that looks like this. This particular script (and there will be others like it) attempts to download from:
From: Judy Herman
Date: Monday, 7 November 2016, 10:53
These financial documents need to be uploaded on the system.
Please let me know if you experience any technical problems.
According to this Hybrid Analysis, the malware then phones home to:
18.104.22.168/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Bulgaria / ITLDC, Latvia)
22.214.171.124/message.php [hostname: endgo.ru] (Hostpro Ltd. / hostpro.com.ua, Ukraine)
126.96.36.199/message.php (Knopp, Russia)