From: CLAUDIA MARTINEZ [firstname.lastname@example.org]Attached is a randomly-named ZIP file (e.g. 053324_00238.zip) which contains a malicious script (e.g. 0061007_009443.js). The samples I have seen download a binary from:
Date: 27 April 2016 at 16:22
Subject: Message from "RNP0BB8A7"
Este e-mail ha sido enviado desde "RNP0BB8A7" (Aficio MP 171).
Datos escaneo: 27.04.2016 00:31:10 (+0000)
Preguntas a: email@example.com
This drops a version of what appears to be Locky ransomware with a detection rate of zero. I know from another source, that these additional download locations were being used for an English-language spam run this afternoon:
This DeepViz report shows the malware phoning home to:
184.108.40.206 (Digital Ocean, US)
220.127.116.11 (Digital Ocean, Singapore)
18.104.22.168 (Digital Ocean, Netherlands)
There's a triple whammy for Digital Ocean! Well done them.