From: Marian Mcgowan
Date: 3 August 2016 at 11:15
Subject: Fw: New invoices
As you directed, I send the attachment containing the data about the new invoices
Attached is a randomly-named ZIP file which contains a highly obfuscated .js script which according to this Malwr analysis downloads a binary from..
..when decrypted it creates a binary with a detection rate of 4/54. That same Malwr analysis shows it phoning home to:
220.127.116.11/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]
This IP was seen last night and it seems that there is a concurrent Locky spam run phoning home to:
18.104.22.168/php/upload.php (MWTV, Latvia)
22.214.171.124/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv.com]
Both those IPs are in known bad blocks.