Sponsored by..

Thursday 10 March 2016

Malware spam: "Attached File" / canon@victimdomain.tld leads to Locky

This spam has a malicious attachment. It appears to come from within the sender's own domain. There is no body text.

From:    canon@victimdomain.tld
Date:    10 March 2016 at 09:02
Subject:    Attached File

In the sample I saw, there was an attachment victimname@victimdomain.tld_07567_273772.zip which contained a randomly-named script with a detection rate of 5/57. Automated analysis [1] [2] shows that this is the Locky ransomware, and it downloads a binary from:


This binary has a detection rate of  just 1/56. Those reports indicate that the malware phones home to: (Petersburg Internet Network Ltd, Russia) (PS Internet Company LLC, Kazakhstan)

There are probably many other download locations and some more C2s as well, I will update this post if I see them.


This additional analysis is from a trusted third party (thank you!)

Additional download locations:


Additional C2s: (FLP Kochenov Aleksej Vladislavovich, Ukraine) (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)

Sender is canon or copier or epson or scanner or xerox at the victim's domain.

Recommended blocklist:

No comments: