From Kathryn Smith [firstname.lastname@example.org]I do not know if there is any body text at present. Attached is a file with a name similar to Self Billing Statement_431.zip which contains a similarly named malicious script (e.g. Self Billing Statement_4424.js)
Date Thu, 28 Jul 2016 16:21:41 +0530
Subject Self Billing Statement
Analysis by a trusted party shows that these scripts download a component from one of the following locations:
This originally dropped this payload since updated to this payload, both of which are Locky ransomware. The C2 servers to block are exactly the same as found in this earlier spam run.