From: Sara OsborneAttached is a ZIP file (the ones I have seen so far all begin with responses_) which contains a malicious script name in a similar way to employees -382-.js. These have a typical detection rate of 4/56.
Date: 26 May 2016 at 10:53
Please find attached a document containing our responses to the other points which we
discussed on Monday 23th May.
Please let me know if you have any queries
Two samples analysed by Malwr   show download locations from:
There will be many other download locations too. These drop two different binaries (VirusTotal results  ). Those two VT results plus these two DeepViz analyses   show the malware phoning home to:
188.8.131.52 (Hetzner, Germany)
184.108.40.206 (Total Server Solutions, US)
220.127.116.11 (JSC Server, Russia)
18.104.22.168 (Redstation, UK)
This behaviour is consistent with Locky ransomware.