Date: 6 October 2016 at 07:16
Please find attached Invoice 42888419 for your attention.
Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.
For Pricing or other general enquiries please contact your local Sales Team.
### This mail has been sent from an un-monitored mailbox ###
The name of the sender and reference numbers will change from email to email. Attached is a Word document with a name in a format similar to 20161006_42888419_Invoice.doc.
The telephone number appears to belong to a company called Stearn who have absolutely nothing to do with this spam.
The sample I sent for automated analysis   downloads some data from:
I know from my sources (thank you, you know who you are) that there are additional download locations at:
This particular variant of Locky ransomware uses black hat hosting for this download location rather than a hacked legitimate site. All these domains are hosted on the following IPs:
220.127.116.11 (FiberLink Networks, Lebanon)
18.104.22.168 (Andrexen, France)
Furthermore, those IPs are associated with these malicious domains (active ones are in bold):
All of these are tagged for malware by SURBL. Most of them have either anonymous registration or obviously fake details, although this one (for the domain steyjixie.net) stands out:
Registry Registrant ID:
Registrant Name: Taras Ponomarev
Registrant Organization: N/A
Registrant Street: g. Belgorod, ul. Malysheva 96, kv. 124
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 111111
Registrant Country: RU
Registrant Phone: +7.527221603
Registrant Fax: +7.527221603
Registrant Email: firstname.lastname@example.org
Registry Admin ID:
A DLL is dropped with a detection rate of 13/56.
I completely forgot to include the C2. D'oh.
22.214.171.124/apache_handler.php (Netart, Russia)