From: admin [email@example.com]I have only seen a single sample with an attachment 24-02-2016-00190459.zip containing a malicious script [pastebin] which in this case downloads a binary from:
Date: 24 February 2016 at 15:25
Subject: Scanned image
Image data in PDF format has been attached to this email.
My sources say that other versions download from:
As this Hybrid Analysis shows, the payload is the Locky ransomware. The dropped binary has a detection rate of just 3/55.
Those reports show the malware phoning home to:
220.127.116.11 (ITL, Ukraine)
I strongly recommend that you block traffic to that IP.