From: Ignacio le neveThe name of the sender and the reference number will vary. Attached is a file named consistently with the reference (e.g. Ord355050211.zip) but an error in the MIME formatting means that this may save with a .dzip ending instead of .zip.
Date: 9 September 2016 at 10:31
Subject: Order Confirmation 355050211
This message is intended only for the individual or entity to which it is
addressed and may contain information that is private and confidential. If
you are not the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication and its
attachments is strictly prohibited.
Analysis is pending, my trusted source (thank you) says that the various scripts download from one of the following locations:
The URL is appended with a randomised query string (e.g. ?abcdEfgh=ZYXwvu). The payload is Locky ransomware has an MD5 of 5db5fc57ee4ad0e603f96cd9b7ef048a but I do not have a sample yet.
This version of Locky does not use C2s, so if you want to block traffic then I recommend using the list above or monitoring/blocking access attempts with 7832ghd in the string.
UPDATE: The Hybrid Analysis of one of the scripts does not add much except to confirm that this is ransomware.