2017-09-22 Locky "Your Invoice"

1. 2017-09-22: #locky email phishing campaign "Your Invoice # NNNNNN"
2.  
3. Email sample:
4. ----------------------------------------------------------------------------------------------------------------
5. From: "Janie" <Janie.Hallen@vwgolfmk4.ro>
6. Subject: Your Invoice # 87077
7. Date: Fri, 22 Sep 2017 15:34:34 +0300
8.  
9. Your Invoice is attached. =20
10.  
11. If you feel you have received this email in error, please reply to this email to inform us of any necessary corrections.
12.  
13. Attached: Invoice_file_704037.7z -> Invoice_file_37567.vbs
14. ----------------------------------------------------------------------------------------------------------------
15. - email does not contain To: header
16. - subject "Your Invoice # <5-6 digits>"
17. - attached file "Invoice_file_<5-6 digits>.7z" contains file "Invoice_file_<5-6 digits>.vbs", a VBScript downloader
18.  
19. Download sites:
20. http://aerotransfer.cl/jhdsgvc74
21. http://aldridgestudios.com/jhdsgvc74
22. http://alibristolphotography.com/jhdsgvc74
23. http://allesandradesigns.com/jhdsgvc74
24. http://amatuermatch.org/jhdsgvc74
25. http://amesatarragona.com/jhdsgvc74
26. http://ammannati.it/jhdsgvc74
27. http://anderlaw.com/jhdsgvc74
28. http://andresarlemijn.nl/jhdsgvc74
29. http://andza.lv/jhdsgvc74
30. http://animal-naturals.net/jhdsgvc74
31. http://antwerpiastamps.be/jhdsgvc74
32. http://appartement-sailer.at/jhdsgvc74
33. http://arc-conduite.com/jhdsgvc74
34. http://ar-inversiones.com/jhdsgvc74
35. http://arktupala.com/jhdsgvc74
36. http://ideathlike.net/p66/jhdsgvc74
37.  
38. Malware:
39. - locky, offline ,ykcol variant
40. - SHA256: 3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac, MD5: 693ef59145aa6b9e329f91538855ef64
41. - VT: https://www.virustotal.com/file/3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac/analysis/1506082671/
42. - HA: https://www.hybrid-analysis.com/sample/3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac?environmentId=100