From: Marla CampbellAttached is a randomly named ZIP file containing a malicious .js script in the format Express Parcel service ~0A1B2C~.js with a junk w file that seems to contain nothing.
Date: 19 September 2016 at 09:09
Subject: Express Parcel service
Dear [redacted], we have sent your parcel by Express Parcel service.
The attachment includes the date and time of the arrival and the lists of the items you ordered. Please check them.
The Hybrid Analysis for one sample shows a download location of:
22.214.171.124/z3zeg (21 Century Telecom Ltd, Russia)
There are probably others (I'll post them if I get them). The payload appears to be Locky ransomware, phoning home to:
126.96.36.199/data/info.php (Ukrainian Internet Names Center LTD, Ukraine)
188.8.131.52/data/info.php (TCTEL, Russia)
ajsrbomqrrlra.pw/info.php [184.108.40.206] (Private Person Anton Malyi aka conturov.net, Ukraine)
It drops a DLL with a detection rate of 8/54.
These Hybrid Analysis reports of other samples      show other download locations at:
All of these domains are hosted on evil IPs:
220.127.116.11 (21 Century Telecom Ltd, Russia)
18.104.22.168 (Evgeniy Zbarazhskiy aka TOV 'Dream Line Holding', Ukraine)
These domains are all related and should be considered malicious:
The last one listed in italics is part of the update.