From: Glenna JohnsonSender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.
Date: 4 August 2016 at 10:18
Subject: Business card
I have attached the new business card design.
Please let me know if you need a change
This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:
This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:
184.108.40.206/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
220.127.116.11/php/upload.php (MWTV, Latvia)
18.104.22.168/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 22.214.171.124.colo.ukrservers.com]
All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.