2017-08-11 - "DIABLO6" LOCKY MALSPAM - PDF ATTACHMENTS WITH EMBEDDED .DOCM FILES

ASSOCIATED FILES:

NOTES:

 

EMAILS


Shown above:  An example of the emails.

 

10 EXAMPLES:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME (PDF) -- EMBEDDED .DOCM FILE

 

MALWARE


Shown above:  An example of the PDF files attached to the malspam.

 


Shown above:  An example of the embedded Word documents seen when opening the PDF files.

 

SHA256 HASHES FOR THE PDF ATTACHMENTS:

 

SHA256 HASHES FOR THE EXTRACTED .DOCM FILES:

 

MALWARE RETRIEVED FROM INFECTED HOST:

 

TRAFFIC

URLS FROM THE WORD MACROS FILES TO DOWNLOAD LOCKY:

 

LOCKY POST-INFECTION TRAFFIC:

 


Shown above:  Traffic from the infection filtered in Wireshark.

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  Encrypted files have .diablo6 as the file extension.

 


Shown above:  Screen shot of the Locky decryptor asking 0.5 bitcoin for the ransom payment.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.