Sponsored by..

Wednesday 5 October 2016

Malware spam: "Document from.." leads to Locky

I have only received a single sample of this spam, presumably it comes from random senders. There is no body text in my sample.

Subject:     Document from Paige
From:     Paige cuddie (Paige592035@gmail.com)
Date:     Wednesday, 5 October 2016, 9:37 
In this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script [pastebin] DOC-20161005-WA0002715.wsf.

Automated analysis [1] [2] shows this sample downloads from:


There will be many other locations besides this.

Those same reports show the malware (in this case Locky ransomware) phoning home to: (Overoptic Systems, UK / Russia) (Ildar Gilmutdinov aka argotel.ru, Russia)

The sample I found downloaded a legitimate binary from ciscobinary.openh264.org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.

Recommended blocklist:

No comments: