The emails that I am currently seeing this morning are very basic and simple, but they do always catch the unwary or curious user. They are all pretending to come from various yahoo email addresses with a subject of Photos and a completely blank / empty email body.
One of the emails looks like:
From: Mitchell <Mitchell842@yahoo.com>
Date: Thu 16/06/2016 05:55
Body content: Blank / Empty
All copies I have seen so far today contain exactly the same docment_380578378.js inside the photo.zip ( VirusTotal Detections) Payload Security shows the download was from shivshantiin.in/n78f7gbniu ( VirusTotal detections) which shows the same file from 2 weeks ago before the Necurs botnet went down and Locky was unable to spread with its previous intensity.
It looks like our short holiday from the onslaught of email delivered malware has come to an end and we should all be prepared for a massive attack over the next few days.