Malware spam: "Financial report" / "I have attached the financial report you requested."

This spam appears to come from various sources, but has a malicious attachment:

From:    Hester Stanley
Date:    29 June 2016 at 13:25
Subject:    Financial report

Hello [redacted],

I have attached the financial report you requested.


Regards
Hester Stanley

Chief Executive Officer

Attached is a ZIP file containing some version of the recipient's email address, the words "report" or "freport" or "financial" plus a number. This contains a malicious .js file beginning with "swift".

Trusted analysis by another party (thank you as ever) gives download locations at:

115.146.42.43/5dtvzet
164.15.59.210/polytech/faculte/n0iqya
210.196.205.19/~pvpip/ypznpez0
65.99.205.183/~studiantec/w29xxnph
82.140.32.172/~haukebensch/3l6zu4
83.235.64.44/~astr-pap/3h59w9s
arquipiedra.cl/6xp7a8k5
benelist.cz/p3oyew2
buron.dk//xc71iuq
centralbs.com/wogium
centro-odontoiatrico-neuromuscolare.it/jtap3
Deutsch-Krone.privat.t-online.de/od24jb
dewaeletransportes.atspace.com/moqry4r9
dragoljub.50webs.com/2gkowrrg
dueto.sk/mdjhnlh
elipse.es/~elipse/8cbjb
enpeler.web.fc2.com/nryumnd
free.co.ca//s3po2n54
geduque.com.br/xu5u1hw
geiten.nl/jjupt07
greatlakessawingsolutions.com/zm70yfs7
jharanch.net/wsi8rh9g
josenria.nl/tohbw3e
joynergraphics.com/2e7qysyn
joynergraphics.com/9htk0ug
karosguren.web.fc2.com//sgejjt
kibridz.50webs.com/l2rvuivn
kitaori.net/r7zt9
labibliocancerdig.com/mhbgy5
laneylakes.com/fj521
maridea.cz/3w36st3
maridea.eu/3ofkxjlt
mayhemparkcom.sites.qwestoffice.net/gdduzqe
onlinepartners.no/kiwcpse
onwings.nl/~onwings.nl/zcr3r9
otherworldsbookstore.com/qmn38
otherworldsbookstore.com//w7q4o2
otherworldsbookstore.com/yluli4ye
pospesch.de/78uftb3
qualiphone.tv/fpmrb
sao24.net/0wnm7v
tczpug.org/z8nvas
teste-site.hi2.ro/7he6ez0
ulin.jp/1p5sqt
vimperk-haselburg.cz/kf27u5
www.notaverde.com/vq1ep
www.oemsen.gmxhome.de/sh91u3a

The payload is Locky ransomware, phoning home to the following servers:

93.170.123.219 (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
149.154.159.125 (EDIS, Germany)
151.236.17.45 (EDIS, Germany)
151.236.17.47 (EDIS, Germany)
194.31.59.147 (Hostbar, Russia)

I don't currently have a copy of the payload.

Recommended blocklist:
93.170.123.219
149.154.159.125
151.236.17.45
151.236.17.47
194.31.59.147

Malware sites to block 7/6/13

Two IPs that look related, the first is 37.235.48.185 (Edis, Poland or Austria) which host some domains that are also found here (158.255.212.96 and 158.255.212.97, also Edis) that seem to be used in injection attacks. I can identify the following domains linked to 37.235.48.185:

faggyppvers5.info
finger2.climaoluhip.org
linkstoads.net
node1.hostingstatics.org
node2.hostingstatics.org

Injecting some of the same sites as the domains on the above IPs is jstoredirect.net which is currently offline but was hosted on 149.154.152.18 which is also Edis (can you see the pattern yet?) so I would assume that they are linked. In the few days that jstoredirect.net was online it managed to infect over 1500 sites.

Aggregate blocklist:
98.126.9.34
114.142.147.51
158.255.212.96
158.255.212.97
nethostingdb.com
netstoragehost.com
connecthostad.net
climaoluhip.org
hostingstatics.org
systemnetworkscripts.org
numstatus.com
linkstoads.net
faggyppvers5.info
jstoredirect.net