Ahmed Sonbol

Malspam delivers Locky 6-22-2017

Blog Post created by Ahmed Sonbol Employee on Jun 23, 2017

After few days of inactivity, this malspam campaign is back and yesterday it was delivering Locky ransomware. The campaign is known for using PDF attachments with embedded malicious Word documents. 


Here is the traffic for a download session in NetWitness Logs and Packets:



Note that an obfuscated file is first downloaded to an infected machine:



Once the download is complete, it is de-obfuscated and the final payload is saved to the same directory:



The checksum of the final payload is shown below:



Analysis results on VirusTotal suggest it is a Locky ransomware variant. Malware-Traffic-Analysis.net mentions that this Locky variant would run only on a Windows XP machine.


Submitting the delivery document to What's This File service shows more information about the malicious PDF document.





All the IOCs from those HTTP sessions were added to RSA FirstWatch Command and Control Domains feed on Live with the following meta values:

  • threat.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'