Sponsored by..

Wednesday, 11 May 2016

Malware spam: Emailing: Photo 05-11-2016, 03 26 04

This spam comes with a malicious attachment:

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    11 May 2016 at 12:39
Subject:    Emailing: Photo 05-11-2016, 03 26 04

Your message is ready to be sent with the following file or link

Photo 05-11-2016, 03 26 04

Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
It appears to come from the sender's own email address, but this is a simple forgery (explained here). Attached is a ZIP file with a name similar to Photo 05-11-2016, 03 26 04.zip (the numbers in the attachment
match the references in the email). It contains a .js file with a similar name.

Trusted third-party analysis (thank you!) shows the various scripts downloading from:


This drops a file with a detection rate of 3/56. This is likely to be Locky ransomware, a full analysis is pending. However an earlier Locky campaign today phoned home to: (Host Sailor, United Arab Emirates) (Overoptic Systems, UK / Russia) (ITL, Ukraine)

According to a DeepViz report,  this sample has identical characteristics.

Recommended blocklist:


Jetlag Gemini said...

Thank you for posting this. Just received one of these today. I knew it was spam because I didn't send a "Photo" from myself to myself, but I was curious as to how they were able to do it via my email address. Now I know!

PC.Tech said...

ALL the ones posted above are bad, ya' think?

strato-hosting .eu/87yg7yyb - /87yg7yyb
developinghands .com/87yg7yyb - |
gesdes .com/87yg7yyb -
helpcomm .com/87yg7yyb -
neihan8 .tk/87yg7yyb - Could not find an IP address for this domain name.
oldtimerfreunde-pfinztal .de/87yg7yyb -
otakutamashi .cl/87yg7yyb -
sarikamisotelleri .com/87yg7yyb -