From: admin [firstname.lastname@example.org]The email appears to originate from within the victim's own domain. Attached is a randomly-named file with a format similar to 2016022936833473.zip containing a malicious script with a name somewhat like SCAN000469497.js I have seen three different versions of the attached scripts with detection rates of around 1/55   . The Malwr reports for those    show download locations at:
Date: 29 February 2016 at 19:05
Subject: Scanned image
Image data in PDF format has been attached to this email.
This appears to be Locky ransomware with a detection rate of just 3/55. Those Malwr reports also indicate C&C servers at:
18.104.22.168 (Dmitrii Podelko, Russia / OVH, France)
22.214.171.124 (ITL aka UA Servers, Ukraine)
Note that one of the download locations is 404ing. There may be other download locations that I am not aware of, howerver I recommend that you block all traffic to: