Subject: Shipping informationThe sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js.
From: Charles Burgess
Date: Thursday, 1 September 2016, 9:30
Our shipping service is sending the order form due to the request from your company.
Please fill the attached form with precise information.
Very truly yours,
Automated analysis     of two samples sees the script downloading from the following locations (there are probably more than this):
Between those four reports, there are three different DLLs dropped (VirusTotal   ). This Hybrid Analysis shows the malware phoning home to:
188.8.131.52/data/info.php [hostname: take.cli] (ITL, Ukraine)
184.108.40.206/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
220.127.116.11/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx.pw/data/info.php [18.104.22.168] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably Locky ransomware.