From: Christine Faure [email@example.com]To save you putting it into Google Translate, the body text reads "Your message is ready to be sent with the following file or link attached". Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least eight different versions each containing a different malicious script (VirusTotal results        ). The Malwr reports for those samples         show a malicious binary downloaded from:
Date: 28 March 2016 at 16:54
Subject: Envoi d’un message : 9758W-TERREDOC-RS62937-15000
Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :
Message de sécurité
Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57 and according to all those previous reports plus these other automated analyses     the malware phones home to:
22.214.171.124 (Park-web Ltd, Russia)
126.96.36.199 (300GB.ru, Russia / Keyweb, Germany)
188.8.131.52 (Host Sailor, Netherlands)
184.108.40.206 (SKS-Lugan, Ukraine)
220.127.116.11 (MWTV, Latvia)
18.104.22.168 (OVH, Germany / Unihost, SC)
All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware.
The other binary appears to be another version of Locky which appears to phone home to the same servers.