From: Ernestine HarveyThe sender name varies randomly, except in the email they are all signed "Mr." even if they have female names, for example:
Date: 15 December 2015 at 11:34
Subject: Invoice Attached
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
Mr. Ernestine Harvey
Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp.
Mr. Colleen Sheppard
Mr. Joel Small
Mr. Esther Gates
Mr. Devin Joyce
Mr. Todd Robertson
The attachments are named in the format invoice_12345678_scan.doc - the filenames are randomly-generated and indeed every attachment seems to be unique. Typical VirusTotal detection rates are around 3/54, and the macro looks something like this.
An analysis of five of the attachments      shows attempted downloads from:
Note that these are all .TK domains.. and they are all hosted on exactly the same server of 220.127.116.11 (GTO Ltd, Montenegro). A look at VirusTotal's report for that IP gives another malicious domain of:
I would suggest that the entire 18.104.22.168/24 range looks pretty questionable.
Anyway, the downloaded binary has a VirusTotal detection rate of 4/55 and the comments indicate that rather surprisingly this is the Nymaim ransomware. The Hybrid Analysis indicates network traffic to xnkhfbc.in on 22.214.171.124 (Szabo & Buhnemann, Brazil). But in fact that domain seems to move around a lot and has recently been seen on the following IPs:
126.96.36.199 (Orange Tunisie Internet, Tunisia)
188.8.131.52 (OVH, France)
184.108.40.206 (Corbina Telecom, Russia)
220.127.116.11 (Netinternet, Turkey)
18.104.22.168 (Dishnet, India)
22.214.171.124 (TANET, Taiwan)
126.96.36.199 (Osbil Technology Ltd., Turkey)
188.8.131.52 (Global Frag Networks, US)
184.108.40.206 (Szabo & Buhnemann Ltda, Brazil)
220.127.116.11 (HOSTING-NET, Japan)
There are a bunch of bad domains associated with this malware but the only other one that seems to be active is oxrdmfdis.in.
A source tells me (thank you) that servicexmonitoring899.tk is now resolving to 18.104.22.168 (iomart, UK) that has also recently hosted these following domains:
Some of these domains are associated with Rovnix.