The more word version comes from random senders with a subject like _9376_924272 or some other randomly-numbered sequence. Attacked to that is an XLS file of the same name and it includes this body text:
The second version has no body text and the subject No subject or (No subject). The XLS file is named in a format incorporating the date, e.g. 2016120517082126121298.xlsYour message is ready to be sent with the following file or link
attachments:
_9376_924272
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
The macro in the malicious Excel file downloads a component from on of the following locations (according to my usual reliable source):
aetech-solutions.com/87t34f
analypia.com/87t34f
angiebundy.com/87t34f
antelope.co.uk/87t34f
cafe-bg.com/87t34f
dachbud.slask.pl/87t34f
davetoll.com/87t34f
dcareug.com/87t34f
deminico.com/87t34f
griptrix.com/87t34f
kamico.net/87t34f
kelbud.pl/87t34f
ktlelektro.cz/87t34f
laferwear.com/87t34f
masterstudio.org/87t34f
milano.koscian.pl/87t34f
paradiseinfiji.com/87t34f
rongdaistudio.com/87t34f
rsaf.cz/87t34f
sevenseas.lk/87t34f
soulscooter.com/87t34f
sparky.com/87t34f
ssivendorinformation.com/87t34f
sublimeshop.co.uk/87t34f
subys.com/87t34f
tppsk.marcinczaja.pl/87t34f
tybor.hu/87t34f
waat.co.uk/87t34f
www.riojadental.com/87t34f
www.stavros.ca/87t34f
zealcon.com/87t34f
You can see some of the things done in these two Malwr reports [1] [2]. The Locky ransomware dropped then phones home to one of the following locations:
185.82.217.28/checkupdate [hostname: olezhkakovtony11.example.com] (ITL, Bulgaria)
91.142.90.61/checkupdate (Miran, Russia)
195.19.192.99/checkupdate (OOO EkaComp, Russia)
Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99