Sponsored by..

Tuesday, 26 July 2016

Malware spam: "list of activities" leads to Locky

This fake business spam has a malicious attachment:

From     "Penelope Phelps"
Date     Tue, 26 Jul 2016 23:02:43 +1100
Subject     list of activities


Attached is the list of activities to help you arrange for the coming presentation.
Please read it carefully and write to me if you have any concern.

Warm regards,
Penelope Phelps
Security-ID: 4d2c95a750fe26a3560ffddfe374ff5c5c064bd78fea30
The sender's name, company and "Security-ID" vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script that looks like this. This Malwr report and this Hybrid Analysis show this particular sample downloading from:


There will be many other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55. Further analysis is pending, however it is quite likely that this sample uses the same C2 servers as seen earlier today.

No comments: