Locky "Agreement form"

1. 2016-09-07 #locky email phishing camapign "Agreement form"
2.  
3. Email sample:
4. ---------------------------------------------------------------------------------------
5. From: "Kitty Ray"
6. To: [REDACTED]
7. Subject: Agreement form
8.  
9. Hi there,
10.  
11. Vaughn assigned you to make the payment agreement for the new coming employees.
12.  
13. Here is the agreement form. Please finish it urgently.
14.  
15. Best Regards,
16. Kitty Ray
17. Support Manager
18. ---------------------------------------------------------------------------------------
19. Attachment "<random_hexachars>.zip" contain 2 identical files "<8_random_hexachars> agreement_form_doc.js" and "<8_random_hexachars> agreement_form_doc - 1.js" a JScript downloaders
20.  
21. Download sites:
22. http://bookinghotworld.ws/0rvzpg1s
23. http://brothermalw.ws/5c8gwdp1
24. http://canonsupervideo4k.ws/afeb6
25. http://clubofmalw.ws/dn3q4s
26. http://donttouchmybaseline.ws/ecf2k1o
27. http://listofbuyersus.co.in/epzuqs
28. http://malwinstall.wang/fsdglygf
29. http://tradesmartcoin.xyz/jq8z2kpk
30. http://videoconvertermac.in/qx5f8w6z
31. http://virmalw.name/ykd1bqt
32.  
33. Malware:
34. https://www.reverse.it/sample/4c7c8e4cc0b3500c3ed31b308bb518176d8d3f3e58b75c9aae69871619106cee?environmentId=100
35. https://www.reverse.it/sample/3a8095aeee0e508f2f7689dd6e43124240ec28b672fbe31b80608f3fd99ea936?environmentId=100
36. https://www.reverse.it/sample/5ee80019682cd0f611b2b1e30a815702fe9df4a17ac0231d33b25d79bfaa219c?environmentId=100
37. https://www.reverse.it/sample/9f14c24aa13d06d773eeace1481eb58a7a76e5bd570f2367e1c944141679f877?environmentId=100
38. https://www.reverse.it/sample/911241b41764744e7ad79aab9e564c87a8102d1a0f84841738c3f986e43ddd78?environmentId=100
39.  
40. None of the HA analysis shows any download and none of the links seems to work (now and from my location)