To be precise, the ZIP file distributed by the spam campaign activates Powershell to download a Kovter payload delivering ransomware. The secondary payload is CoreBOT, a highly adaptive form of modular malware.
According to Heimdal’s Andrea Zaharia, the spam message looks something like this:
From: [spoofed / fake return address]
Subject Line: Payment for tax refund # 00 [6 random numbers]
Tax_Refund_00654767.zip -> Tax_Refund_00654767.doc.js
Commentary from David Bisson for Tripwire: Fake IRS Spam Email Campaign Serves Up Kovter, CoreBot Malware
Added to Ransomware Resources page.