All the emails were very simple emails with a HTML attachment look like this:
All the emails came from IP numbers that have previously been seen to be used by Necurs botnet. The domains listed in the from box do not track back to the IP numbers they came from.
The script in the file looks like:
Indicators of Compromise