Date: 27 July 2016 at 10:38
Sent from my Samsung device
The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component from one of the following locations:
The dropped file is Locky ransomware and it has a detection rate of 2/52. It phones home to the following locations:
18.104.22.168/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
22.214.171.124/upload/_dispatch.php (Digital Ocean, Netherlands)
(Thank you to my usual source for this data)
There is nothing of value in the 126.96.36.199/27 range, and several IPs appear to have been hosting malware in the past.