Malicious Word Doc sends Locky Ransomware

NOTES:
This Word document was downloaded from www.hybrid-analysis.com. This is my first time seeing Locky ransomware move from a malicious java script to a malicious Word document. Below is the details of the infection chain

 

ASSOCIATED DOMAINS:

  • 210.1.60.27 – discountghd.org – GET /89yg7g87byiLocky DOWNLOAD
  • 31.184.197.126 – POST /userinfo.phpLocky C2 CHECK-IN

 

IMAGES and DETAILS:

Shown above: Malicious Word doc attempting to get user to Enable Editing [MACROS] Also note the extra letter “m” in the file extension attempting to bypass mail filters

 

Shown above: Locky payload downloaded in gzip compression. In past infections via malicious java scripts the payload was not compressed.

 

Shown above: Locky post infection traffic with its known URI structure “userinfo.php

 

Shown above: Encrypted files using the .locky file extension

 

Shown above: Locky ransom note and decrypt instructions

 

Shown above: Locky registry entry for start-up

 

ASSOCIATED WORD DOCUMENT AND PAYLOAD:

  • 2016-05-04-Locky.docm
    www.hybrid-analysis.com Download Link
  • 2016-05-04-Locky.exe
    Virus Total Link