Locky experiments with Windows Script Host delivery

Kevin Beaumont
2 min readFeb 19, 2016

In the last 30 minutes we’ve been targeted by Locky with emails in native language for the domain recipient. They successfully bypass most antivirus again, and work against Microsoft Outlook environments.

The emails look like this, i.e. a real business email:

The ZIP file contains a JavaScript file. Microsoft Outlook allows this to bypass safe file filtering by default, and helpfully unzips for you:

The Javascript file has 0% antivirus detection:

The JavaScript file does this:

The payload is Locky, with approximately 5% detection of the payload right now. See my prior posts on Locky.