From: Secure-FeDexIn this case there was an attachment FedEx_track_98404283928.zip which unzipped into a folder FedEx_track_98404283928 containing in turn a malicious script FedEx_track_98404283928.js which (according to Malwr) attempts to download a binary from one of the following locations:
Date: 8 June 2016 at 18:17
Subject: David Bernard agent Fedex
Deаr [redacted] ,
We tried tо delivеr уour item on June 08th, 2016, 10:45 АM.
The delivеry attempt failеd because thе аddress was business сlоsed оr nobodу сould sign fоr it.
Тo piсk up the package, please, рrint the receipt that is аttаchеd to this еmаil and visit FеdEx
office indicated in the invoice. If the pасkagе is nоt piсkеd up within 24 hоurs, it will bе returnеd to thе shipper.Receipt Number: 98402839289
Eхpесted Delivеrу Dаte: June 08th, 2016
Class: Intеrnаtional Paсkаge Sеrviсe
Servicе(s): Delivеrу Cоnfirmation
Status: Notifiсatiоn sentThank you for choosing our service© FedEх 1995-2016
Only the first one is a valid download location, the rest are a smokescreen. The dropped binary has a detection rate of 5/56 but automated analysis    is inconclusive. However those reports do seem to indicate attempted network traffic to:
These two subdomains appears to have been hijacked from unrelated Register.IT customers and are hosted on a questionable-looking customer of OVH Italy on 22.214.171.124:
org-name: Kitdos NOC
address: UNKNOW UNKNOW
Other hijacked subdomains on the same IP are:
This Tweet from @pancak3lullz indicates that this IP is associated with Anrdomeda rather than the usual recent patterns of Locky or Dridex (which has.. err.. dried up recently). It appears to have been a malicious IP for more than a month.
Of interest is that almost every part of this chain (including the spam sending IP of 126.96.36.199) is in Italy.
As with a great deal of recent spam, this is delivered via a .js script in a ZIP file. If you can configure your mail filters to reject such things then you will be a whole lot safer.