2017-06-22 - LOCKY MALSPAM - PDF ATTACHMENTS WITH EMBEDDED .DOCM FILES

ASSOCIATED FILES:

OTHER NOTES:

 

EMAILS


Shown above:  An example of the emails.

 

20 EXAMPLES:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME (PDF) -- EMBEDDED .DOCM FILE

 

MALWARE


Shown above:  An example of the PDF files attached to the malspam.

 


Shown above:  An example of the embedded Word documents seen when opening the PDF files.

 

SHA256 HASHES FOR THE PDF ATTACHMENTS:

 

SHA256 HASHES FOR THE EXTRACTED .DOCM FILES:

 

MALWARE RETRIEVED FROM INFECTED HOST:

 

TRAFFIC

URLS FROM THE WORD MACROS FILES TO DOWNLOAD LOCKY:

 

LOCKY POST-INFECTION TRAFFIC:

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  HTTP GET request for the Locky binary.

 


Shown above:  Post-infection callback from the infected host.

 

IMAGES


Shown above:  Encrypted files have .loptr as the file extension.

 


Shown above:  Screen shot of the Locky decryptor asking 0.5 bitcoin for the ransom payment.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.