From: admin [email@example.com]The email appears to originate from within the victim's own domain. Attached is a randomly-named file with a format similar to 2016022936833473.zip containing a malicious script with a name somewhat like SCAN000469497.js I have seen three different versions of the attached scripts with detection rates of around 1/55   . The Malwr reports for those    show download locations at:
Date: 29 February 2016 at 19:05
Subject: Scanned image
Image data in PDF format has been attached to this email.
This appears to be Locky ransomware with a detection rate of just 3/55. Those Malwr reports also indicate C&C servers at:
188.8.131.52 (Dmitrii Podelko, Russia / OVH, France)
184.108.40.206 (ITL aka UA Servers, Ukraine)
Note that one of the download locations is 404ing. There may be other download locations that I am not aware of, howerver I recommend that you block all traffic to: