From: Orval Burgess
Date: 8 March 2016 at 11:10
Subject: Compensation - Reference Number #368380
The mistake made will be compensated promptly, please do not worry.
Please take a look at the file attached (scanned document) as it contains all the information.
Attached is a file named in a similar format to SCAN_00_368380.zip which contains TWO malicious scripts named in a format similar to email.864036956.js (VirusTotal results    ) and automated analysis tools         show binary download locations at:
Those same reports indicate the malware attempts to phone home to the following IPs:
220.127.116.11 (Agava Ltd, Russia)
18.104.22.168 (EDIS, Netherlands)
22.214.171.124 (EDIS, Italy)
126.96.36.199 (EDIS, Spain)
188.8.131.52 (EDIS, Sweden)
Those automated reports all indicate that this is the Locky ransomware.
A trusted source also informs me of these additional download locations;
In addition, there is another IP address the malware phones home to:
184.108.40.206 (Web Hosting Solutions Oy, Estonia)