From: Donnie emilyAttached is a randomly-named ZIP file, in the sample I have seen they begin with:
Date: 12 March 2016 at 14:01
Subject: Urgent Notice # 78815053
According to our data you owe our company a sum of $452,49. There are records saying that you have ordered goods in a total amount of $ 452,49 in the third quarter of 2015.
Invoice has been paid only partially. The unpaid invoice #78815053 is enclosed below for your revision.
We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.
Please check out the file and do not hesitate to pay off the debt.
Otherwise we will have to start a legal action against you.
758 N Davis St, Jacksonville,
Phone nr: 026-762-3482
This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different (VirusTotal results  ) and they appear to phone home to:
It also attempts to contact the domain multibrandphone.com but that was not resolving at the time of analysis. It also appears to phone home to:
22.214.171.124 (Petersburg Internet Network Ltd, Russia)
126.96.36.199 (FOP Sedinkin Olexandr Valeriyovuch, Russia)
The domain bonjovijonqq.com is purely malicious and is hosted on the following IPs:
188.8.131.52 (Hudson Valley Host / Colocrossing, US)
184.108.40.206 (Amazon AWS, US)
220.127.116.11 (Middle East Internet Company Limited, Saudi Arabia)
18.104.22.168 (Sadecehosting, Turkey)
The following malicious domains are also on the same servers:
In fact, there are a vast number of malicious IPs and servers in this cluster. I simply haven't had time to look at them all yet.