From: Sara OsborneAttached is a ZIP file (the ones I have seen so far all begin with responses_) which contains a malicious script name in a similar way to employees -382-.js. These have a typical detection rate of 4/56.
Date: 26 May 2016 at 10:53
Subject: RE:
Dear sales,
Please find attached a document containing our responses to the other points which we
discussed on Monday 23th May.
Please let me know if you have any queries
Regards,
Wayfair Inc.
Sara Osborne
Two samples analysed by Malwr [1] [2] show download locations from:
newgeneration2010.it/mkc27f
projectodetalhe.pt/do5j36a
There will be many other download locations too. These drop two different binaries (VirusTotal results [3] [4]). Those two VT results plus these two DeepViz analyses [5] [6] show the malware phoning home to:
138.201.93.46 (Hetzner, Germany)
107.181.187.12 (Total Server Solutions, US)
212.109.219.31 (JSC Server, Russia)
5.152.199.70 (Redstation, UK)
This behaviour is consistent with Locky ransomware.
Recommended blocklist:
138.201.93.46
107.181.187.12
212.109.219.31
5.152.199.70