New VBS malware in email “Please verify” leads to Locky


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Please verify”.

This email is send from the spoofed addresses and has the following body:

Hey *******, as you requested, I have proofread the technical document you sent.
There are some confused parts in it.

Please verify the parts highlighted in the attached document.

Best Wishes,
Dillon Odonnell

The attached file tech_doc_85f5244.zip contains the file NRV26AIL.vbs (note that filenames will vary with each email).

The malware is detected as VBS/Locky.B, VBS/Agent.LKY!tr or Trojan-Ransom.Script.Locky by 21/54 AV engines at Virus Total.