From: victim@domain.tldInside is a randomly-named script (samples VirusTotal reports [1] [2] [3] [4] [5] [6] [7]). These Malwr reports [8] [9] [10] [11] [12] [13] indicate that the script attempts to download a binary from the following locations:
To: victim@domain.tld
Date: 17 March 2016 at 10:37
Subject: Document32
escortbayan.xelionphonesystem.com/wp-content/plugins/hello123/89h8btyfde445.exe
fmfgrzebel.pl/wp-content/plugins/hello123/89h8btyfde445.exe
superiorelectricmotors.com/wp-content/plugins/hello123/89h8btyfde445.exe
sabriduman.com/wp-content/plugins/hello123/89h8btyfde445.exe
bezerraeassociados.com.br/wp-content/plugins/hello123/89h8btyfde445.exe
The dropped binary has a detection rate of just 2/57. Those reports and these other automated analyses [14] [15] [16] show network traffic to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
46.148.20.46 (Infium UAB, Ukraine)
188.127.231.116 (SmartApe, Russia)
195.64.154.114 (Ukrainian Internet Names Center, Ukraine)
This is Locky ransomware.
Recommended blocklist:
78.40.108.39
46.148.20.46
188.127.231.116
195.64.154.114