Subject: Please find attached a XLS Invoice 378296
From: email@example.com (firstname.lastname@example.org)
Date: Tuesday, 29 November 2016, 10:32
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
Please find attached your Invoice for Goods/Services recently delivered. If you have any questions, then pleasedo not hesitate in contacting us.Karen Lightfoot -Credit Controller, Ansell Lighting, Unit 6B, Stonecross Industrial Park, Yew Tree Way, WA3 3JD. Tel: +44 (0)5216 154 830 Fax: +44 (0)5216 154 830
The email comes from a random creditcontrol@something email address. Attached is a malicious Excel file with a name such as INVOICE.TAM_378296_20161129_886C9EAB6.xls.
My usual reliable source says that the various versions of Excel spreadsheet download a component form one of the following locations:
The Hybrid Analysis shows that this is Locky ransomware, phoning home to:
18.104.22.168/information.cgi [hostname: nikita.grachev.81.example.com] (Megaserver LLC, Russia)
22.214.171.124/information.cgi [hostname: sbg.13.vds.abcvg.ovh] (OVH, France)
126.96.36.199/information.cgi (Selectel SPb, Russia)
A DLL is dropped with an MD5 of b46f0fcb0f962f41b5b43725b440dabb and a VirusTotal detection rate of 11/57.