Malware spam: "Order: 28112610/00 - Your ref.: 89403" leads to Locky

This fake financial spam has a malicious attachment that leads to Locky ransomware.

Subject:     Order: 28112610/00 - Your ref.: 89403
From:     Melba lochhead (SALES1@krheadshots.com)
Date:     Monday, 19 September 2016, 16:05

Dear customer,

Thank you for your order.

Please find attached our order confirmation.

Should you be unable to open the links in the document, you can download the latest version of Adobe Acrobat Reader for free via the following link: http://www.adobe.com/products/acrobat/readstep2.html

Should you have any further questions, do not hesitate to contact me.


Kind Regards,

Melba lochhead
Internal Sales Advisor - Material Handling Equipment Parts & Accessories
SALES1@krheadshots.com

TVH UK LTD
UNIT 17 PARAGON WAY • GB-CV7 9QS EXHALL, COVENTRY
T 02476 585 000 • F 02476 585 001 • www.tvh-uk.co.uk
Watch our company movies on www.tvh.tv

Take our forklift and aerial work platform challenge! Identify 10 brands by their machines. Be the fastest and win great prizes! Click on the image to start the quiz.

I have only seen a single sample so far, but I understand that reference numbers and names vary. Attached is a malicious .DOCM file with a name in the format OffOrd_87654321-00-1234567-654321.docm , my trusted source says that the various versions download a component from:

bernardchandran.com/67SELbosjc358
bobneal.net/67SELbosjc358
burgeoservise.ru/67SELbosjc358
dirkdj.nl/67SELbosjc358
emperesseconcierge.com/67SELbosjc358
extramileteam.com/67SELbosjc358
fernandoarias.org/67SELbosjc358
festivaldhamaka.com/67SELbosjc358
fungasoap.net/67SELbosjc358
grupoalana.com/67SELbosjc358
hellolanguage.com/67SELbosjc358
heritagebaptistchurch.ca/67SELbosjc358
hotelcelnice.cz/67SELbosjc358
judgedeborahshallcross.com/67SELbosjc358
kursustokoonline.net/67SELbosjc358
lomtalay.com/67SELbosjc358
ncmartec.org/67SELbosjc358
omeryilmaz.com/67SELbosjc358
puchipuchivirus.com/67SELbosjc358
sadek-music.com/67SELbosjc358
scanarchives.com/67SELbosjc358
seokonya.com/67SELbosjc358
techscape4.com/67SELbosjc358
thaihomecondo.com/67SELbosjc358
win88id.com/67SELbosjc358
zheng-du.com/67SELbosjc358

It drops a DLL which had a moderate detection rate earlier. This version of Locky does not communicate with C2 servers, so if you want to block or monitor traffic perhaps you should use the string 67SELbosjc358.