The MHT file is attached to the spam e-mail, which is supposedly send from HSBC, a British-based international banking and financial services company, and it is called Bill Payment Advice, namely, Payment_Advice.mht. When the attachment is opened, it downloads the HTA file, which contains a VBScript (Visual Basic Script), which, then, downloads the Fareit trojan – the downloader of the Locky ransomware.
The customers of HSBC banking company has reported the issue to their banking services provider. On their behalf, the representatives of HSBC gave an account of the event to the security analysts of the Cisco Talos company. This new spam campaign by the developers of Locky cryptomalware is still in its infancy. However, users are warned to be suspicious of spam e-mails, supposedly sent from HSBC company and containing the Payment Advice MHT file.
Sources: blog.talosintel.com and bleepingcomputer.com.