Date: 10 March 2016 at 09:02
Subject: Attached File
In the sample I saw, there was an attachment firstname.lastname@example.org_07567_273772.zip which contained a randomly-named script with a detection rate of 5/57. Automated analysis   shows that this is the Locky ransomware, and it downloads a binary from:
This binary has a detection rate of just 1/56. Those reports indicate that the malware phones home to:
188.8.131.52 (Petersburg Internet Network Ltd, Russia)
184.108.40.206 (PS Internet Company LLC, Kazakhstan)
There are probably many other download locations and some more C2s as well, I will update this post if I see them.
This additional analysis is from a trusted third party (thank you!)
Additional download locations:
220.127.116.11 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
18.104.22.168 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)
Sender is canon or copier or epson or scanner or xerox at the victim's domain.