Sponsored by..

Monday, 27 June 2016

Malware spam: DOC1234 / document4321 / Document56789 leads to Locky

This rather terse spam run leads to Locky ransomware and appears to come from the sender's own email account (but doesn't).

The subject is some variation of DOC / Document / document plus a number. There is a ZIP file attached with a name matching the subject, there is no body text.

Some examples

Subject: DOC541887
Attachment: DOC541887.zip

Subject: document36168
Attachment: document36168.zip

Subject: Document453567810
Attachment: Document453567810.zip

Contained within the ZIP file is one of several different .js scripts. Trusted third-party analysis (you know who you are, thank you!) shows download locations at:


Detection rates for the dropped binary are 5/54. The malware phones home to the following IPs: (Andrey Orlov aka Relink LLC, Russia / OVH, France) (ITL, Ukraine) (ITL, Latvia) (ITL, Bulgaria)

Recommended blocklist:

No comments: