2017-10-03 Locky "INVOICE"

1. 2017-10-03: #locky email phishing campaign "INVOICE"
2.  
3. Email samples:
4. --------------------------------------------------------------------------------------------------------------------------
5. From: Ward Siddons <sales@[REDACTED]>
6. To: [REDACTED]
7. Subject: INVOICE
8. Date: Tue, 03 Oct 2017 11:56:59 +0200
9.  
10. Dear Sir,
11.  
12. PLEAS FIND ATTACHED YOUR INVOICE AS REQUESTED.
13.  
14.  
15. Thank you and Kind regard's
16.  
17. *Ward*
18.  
19. Attached: A_7643046228.7z -> 40d9e8b2-23ae-4ff0-9b31-f76ec9cedefa.js
20. --------------------------------------------------------------------------------------------------------------------------
21. - sender address is forged to look like coming from sales@<recipient domain>
22. - subject is INVOICE
23. - attached file "A_<8-12 digits>.7z contains file "<8 hexa chars>-<4 hexa chars>-<4 hexa chars>-<4 hexa chars>-<12 hexa chars>.js", a JScript downloader which will download malware from:
24.  
25. Download sites:
26. http://3overpar.com/jhgf54y6
27. http://arkberg-design.fi/jhgf54y6
28. http://basedow-bilder.de/jhgf54y6
29. http://bibtic.net/jhgf54y6
30. http://bridleridgehorses.com/jhgf54y6
31. http://charter-base.de/jhgf54y6
32. http://crack-attack.net/jhgf54y6
33. http://embutidosanezcar.com/jhgf54y6
34. http://enixgaming.de/jhgf54y6
35. http://fbl.com.sg/jhgf54y6
36. http://holmac.co.nz/jhgf54y6
37. http://jtpsolutions.com.au/jhgf54y6
38. http://kitami-ansin.com/jhgf54y6
39. http://peopleiknow.org/jhgf54y6
40. http://pesonamas.co.id/jhgf54y6
41. http://stemcellenhancementresearch.com/jhgf54y6
42.  
43.  
44. Malware:
45. - locky ransomware, offline ykcol variant
46. - SHA256: 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3, MD5: cf92bea857aea977023ad61ec6b6c980
47. - VT: https://www.virustotal.com/#/file/70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3/detection
48. - HA: https://www.reverse.it/sample/70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3?environmentId=100