2017-10-10 Locky "Voicemail From 845-551-NNNN"

2017-10-10: #locky email phishing camapign "Voicemail From 845-551-NNNN"

Email sample:
-----------------------------------------------------------------------------------------------------------------------
Date: Tue, 10 Oct 2017 21:38:26 +0530
From: Microsoft Voice <MSVoice@dhl.com>
Subject: Voicemail From 845-551-2955

Voice Message received at Tue, 10 Oct 2017 21:38:26 +0530
Voicemail Length 39 sec

Attached: VMSG9814443_20171010.7z -> VMSG398056009_20171010.vbs
-----------------------------------------------------------------------------------------------------------------------
- sender name is "Microsoft Voice" and email address is forged to look like coming from recipient's domain MSVoice@domain
- subject is "Voicemail From 845-551-<4 digits>"
- email does not have To: header
- attached file "VMSG<5-10 digits>_20171010.7z" contains file "VMSG<9-11 digits>_20171010.vbs, a VBScript downloader

Download sites:
http://alucmuhendislik.com/njhgftrf3
http://atlantarecyclingcenters.com/njhgftrf3
http://bit-chasers.com/njhgftrf3
http://bjp.co.id/njhgftrf3
http://centurythis.com/njhgftrf3
http://estudiperceptiva.com/njhgftrf3
http://handhi.com/njhgftrf3
http://hellonwheelsthemovie.com/njhgftrf3
http://hexacam.com/njhgftrf3
http://logica-info.com/njhgftrf3
http://mh-service.ru/njhgftrf3
http://miamirecyclecenters.com/njhgftrf3
http://monstermx.com/njhgftrf3
http://m-tensou.net/njhgftrf3
http://nsaflow.info/p66/njhgftrf3
http://paulcruse.com/njhgftrf3
http://suncoastot.com/njhgftrf3

Malware
- locky ransowmare, offline .asasin variant
- SHA256 a165963bb5575321c03f974e266808d34b695fa21d0f2dd96a66cd3c887bd5e7, MD5: 37c106c0d8e97fbe9ec10a037858ea23
- VT: https://www.virustotal.com/en/file/a165963bb5575321c03f974e266808d34b695fa21d0f2dd96a66cd3c887bd5e7/analysis/1507651868/
- HA: https://www.reverse.it/sample/a165963bb5575321c03f974e266808d34b695fa21d0f2dd96a66cd3c887bd5e7?environmentId=100