2017-10-03 Locky "Emailing - DOCNNN"

1. 2017-10-03: #locky email phishing campaign "Emailing - DOCNNN"
2.  
3. Email sample:
4. ---------------------------------------------------------------------------------------------------------------------
5. From: LOUIE DINGSDALE <Louie0021@thedaviscompany.com>
6. To: [REDACTED]
7. Subject: Emailing - DOC845
8. Date: Tue, 03 Oct 2017 18:54:14 +0300
9.  
10. Hi
11.  
12. See attachment
13.  
14. Attachment: DOC845.7z -> PDF458.js
15. ---------------------------------------------------------------------------------------------------------------------
16. - subject is "Emailing - <PDF|DOC><3 digits>
17. - attached file "<DOC|PDF><3 digits>.7z" contains file "<DOC|PDF><3 digits>.js", a JScript downloader which will download malware from:
18.  
19. Download sites:
20. http://420ent.com/uyitfu65uy
21. http://acaciainvestigations.com/uyitfu65uy
22. http://atez.vn/uyitfu65uy
23. http://chimachinenow.com/uyitfu65uy
24. http://dbatee.gr/uyitfu65uy
25. http://eternallyclassicjewelry.com/uyitfu65uy
26. http://linksoft.co.nz/uyitfu65uy
27. http://matern-eger.de/uyitfu65uy
28. http://mysushi.it/uyitfu65uy
29. http://phmetreci.com/uyitfu65uy
30. http://restaurantelburladero.com/uyitfu65uy
31. http://runkel.com.mx/uyitfu65uy
32. http://sabines-marmeladen.de/uyitfu65uy
33. http://sancorbr.com.br/uyitfu65uy
34. http://shanta.de/uyitfu65uy
35.  
36. Updated:
37. http://envi-herzog.de/uyitfu65uy
38. http://ericajoy.com/uyitfu65uy
39. http://placecomp.com/uyitfu65uy
40. http://studioslefteris.gr/uyitfu65uy
41. http://yoma888.com/uyitfu65uy
42.  
43.  
44. Malware:
45. - Locky ransomware, offline ykcol variant
46. - SHA256: d57fbae4df7a967f388644f9abd118c1efe25d7d54e5d78d24355ced9d427f01, MD5: b75bd60dc3686fe62eb4a4a8372be966
47. - VT: https://www.virustotal.com/file/d57fbae4df7a967f388644f9abd118c1efe25d7d54e5d78d24355ced9d427f01/analysis/1507046577/
48. - HA: https://www.reverse.it/sample/d57fbae4df7a967f388644f9abd118c1efe25d7d54e5d78d24355ced9d427f01?environmentId=100