The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number.
Subject: old office facilities
From: Kimberly Snow (Snow.email@example.com)
Date: Friday, 2 September 2016, 8:55
Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
Analysis is pending, but this Malwr report indicates attempted communications to:
..both apparently hosted on 188.8.131.52 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.
According to this Malwr report it drops a DLL with a detection rate of 10/58. Also those mysterious .wang domains appear to be multihomed on the following IPs:
184.108.40.206 (New Wave NetConnect, US)
220.127.116.11 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
18.104.22.168 (Crowncloud, US)
22.214.171.124 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
126.96.36.199 (Net3, US)
188.8.131.52 (OVH, Canada)
184.108.40.206 (OVH, Canada)