Emma Critchley Emailing – 5147245972715 leads to Locky ransomware — 4 Comments

  1. Looks like the download is actually encrypted and the docm decrypts it after downloading it, then runs it.
    Not sure if this is to get past antivirus software, as the decrypted code might be run from memory and not saved to disk.
    Have downloaded two of them and they are different sizes (284672 bytes, 283648 bytes) so different variants.
    They both start 3D 1B CA 37 7B 79 57 65 60 53 71 32 CC AC 57 70

Leave a Reply

Your email address will not be published. Required fields are marked *