Date: 26 April 2016 at 12:58
Subject: Missing payments for invoices inside
Hope you are good.
Hope you are good. We're missing payments on our statements for the invoices included in this email. Please let us know, when the payments will be initiated.
BTW, trying to get reply from you for a long time. This is not junk, do not ignore it please.
This drops a file pretending to be favicon.ico which is actually an executable with a detection rate of 3/56. This Hybrid Analysis and this DeepViz report indicate network traffic to:
220.127.116.11 (OrionVM Retail Pty Ltd, Australia)
18.104.22.168 (Hetzner, Germany)
22.214.171.124 (FPT Telecom Company, Vietnam)
126.96.36.199 (EASY Net, Czech Republic)
The payload isn't exactly clear, but it looks like Dridex rather than Locky. Almost certainly one of the two.