Sponsored by..

Tuesday, 8 November 2016

Malware spam: "Statement" leads to Locky

Another terse fake financial spam leading to Locky ransomware:

Subject:     Statement
From:     accounts@somedomain.tld
Date:     Tuesday, 8 November 2016, 10:59

For your Information.
The sender domain varies. Attached is a ZIP file with a name similar to Statement PDF - 56765041263.zip which in turn contains a malicious WSF script (like this) named in a format similar to SLM245260-0214.wsf.

Hybrid Analysis of this one sample shows a download occurring from:


There will no doubt be many other locations, if I get more information then I will post it here. The script drops a DLL with a detection rate of 14/56 and the malware appears to phone home to: (vpsville.ru, Russia) (OVH, Canada)

Recommended blocklist:

No comments: