From: FX Service [email@example.com]Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide number of malicious scripts (some example VirusTotal results     ). Malwr analysis of those samples      shows binary download locations at:
Date: 21 March 2016 at 14:32
Subject: Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff
Please find attached to this email a facsimile transmission we
have just received on your behalf
(Do not reply to this email as any reply will not be read by
a real person)
There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56. This Malwr report of the payload indicates that it is Locky ransomware.
All of those sources plus this Deepviz report show network traffic to the following IPs:
220.127.116.11 (Ukrainian Internet Names Center, Ukraine)
18.104.22.168 (MWTV, Latvia)
22.214.171.124 (Keyweb AG, Germany / 300GB.ru, Russia)
126.96.36.199 (ITL Company, Ukraine)
If I receive more information I will post it here.