Malware spam: "Document No 4873206" / Accounts [accounts@victimdomain.tld]

This fake financial email has a malicious attachment:

From:    Accounts [accounts@victimdomain.tld]
Date:    10 March 2016 at 11:45
Subject:    Document No 4873206

Thanks for using electronic billing

Please find your document attached

Regards

Accounts

The email appears to come from within victim's own domain. The number in the subject varies, and is matched by the attachment name (e.g. Document No 4873206.zip). In turn this contains one of several malicious scripts (VirusTotal results [1] [2] [3] [4] [5] [6]). All the Malwr reports [7] [8] [9] [10] [11] [12] all show an attempted download from:

ncrweb.in/system/logs/7t6f65g.exe

Happily this 404s, but it is likely that other scripts will have the same download locations as found here. The payload is the Locky ransomware, and it should drop an executable with a detection rate of 1/56.