Another day another attempt at sending through zipped attachments…
From: Truman Koch <Truman.Koch@onyxmd.com>
Subject: Invoice #879384
Attachment: Invoice #879384.zipPlease find Invoice #879384 attached
Please note that our payment terms are #25 days.
Best regards,
Truman Koch
The invoice number and the number of days seems to change in each email.
Also seen were these sender names:
Aldo Mcdonald <Aldo-Mcdonald@freestarbank.com>
Mohammed Sheppard <Mohammed-Sheppard@marsh.com>
Craig Mathis <Craig.Mathis@fitzservicecompany.com>
Inside the ZIP is a file “Invoice #879384.js”. Different e-mails contained slightly different file content. Here are the ones I’ve seen so far:
SHA256 75b2fa43296c80b222dedb9355e392bf88289445608bbc95c44f00309dab792b
SHA256 3727653a25a8fb3e550fa9a859818da8cba68c2475b7c4f91cb620c481582d57
SHA256 668ecb645e3e884e3bdca8457251d39666ac16e3e8e68eaa4c05507e4c38f41d
SHA256 271d5b9a1ec0ead7d78b02bc36df2c6db5b8484c4a3ee3f6935136ab961d0ebb
When run requests are sent to:
http://22072014c.com/images/five1.jpg http://22072014c.com/images/five2.jpg
And then Cryptowalls your files (Encrypts and ransoms)
The domain 22072014c.com uses nameservers seen in this scam within the past week.
The domain points to the following IP addresses:
Addresses: 109.87.68.203
176.107.198.34
77.122.50.141
46.98.97.89
195.114.156.65
178.150.153.18
109.237.47.9
95.47.128.209
176.117.64.103
212.15.151.42
thecomputerperson 
Pingback: “Please find attached copy of the passport for my wife and daughter as requested” zip attachment virus mail | thecomputerperson