Sponsored by..

Friday 11 March 2016

Malware spam: "FW: Payment 16-03-#507586" / "We have received this documents from your bank, please review attached documents."

These spam messages come from various senders with different references and attachment names.

From:    Thanh Sears
Date:    11 March 2016 at 10:29
Subject:    FW: Payment 16-03-#507586

Dear [redacted],

We have received this documents from your bank, please review attached documents.

Yours sincerely,

Thanh Sears
Financial Manager

This email has been scanned by the Symantec Email Security.cloud service.

Attached is a ZIP file named in the format payment_doc_507586.zip, containing a randomly named script containing one of the following strings plus a random number and also it seems a # sign at the end of some.

  • Post_Shipment_Confirmation_id
  • Post_Shipment_Label_id
  • q.
  • Post_Shipment_Case_id
  • Post_Tracking_Confirmation_id
  • Post_Parcel_Confirmation_id
Detection rates for these scripts are all zero at the moment [1] [2] [3]. A Malwr analysis of some of the samples [4] [5] [6] shows download locations at:


There are probably other download locations. The dropped binaries are actually different [1] [2] and both look like Locky ransomware. The C2s to block are the same as found in this earlier Locky run.


Two further download locations can be found at:


The dropped binaries are different again [1] [2],  but it is still Locky phoning home to the C2s detailed here.


Further download locations are at:

Again, the dropped binaries are all different but seem to be Locky [1] [2] [3] [4] [5].

1 comment:

TZ-Security said...

nro.gov .sd/23r35y44y5 is actually hosting iframed page from http://tehnoartss .in/kk/PC1sFW, with parameters ?se_referrer=' + encodeURIComponent(document.referrer) + '&default_keyword=' + encodeURIComponent(document.title) +