Subject: Document from PaigeIn this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script [pastebin] DOC-20161005-WA0002715.wsf.
From: Paige cuddie (Paige592035@gmail.com)
Date: Wednesday, 5 October 2016, 9:37
Automated analysis   shows this sample downloads from:
There will be many other locations besides this.
Those same reports show the malware (in this case Locky ransomware) phoning home to:
184.108.40.206/apache_handler.php (Overoptic Systems, UK / Russia)
220.127.116.11/apache_handler.php (Ildar Gilmutdinov aka argotel.ru, Russia)
The sample I found downloaded a legitimate binary from ciscobinary.openh264.org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.