From: firstname.lastname@example.orgIt appears to come from the sender's own email address, but this is a simple forgery (explained here). Attached is a ZIP file with a name similar to Photo 05-11-2016, 03 26 04.zip (the numbers in the attachment
Date: 11 May 2016 at 12:39
Subject: Emailing: Photo 05-11-2016, 03 26 04
Your message is ready to be sent with the following file or link
Photo 05-11-2016, 03 26 04
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
match the references in the email). It contains a .js file with a similar name.
Trusted third-party analysis (thank you!) shows the various scripts downloading from:
This drops a file with a detection rate of 3/56. This is likely to be Locky ransomware, a full analysis is pending. However an earlier Locky campaign today phoned home to:
126.96.36.199 (Host Sailor, United Arab Emirates)
188.8.131.52 (Overoptic Systems, UK / Russia)
184.108.40.206 (ITL, Ukraine)
According to a DeepViz report, this sample has identical characteristics.