Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

Locky Actors Shift to .wsf Attachments

The criminals behind the notorious Locky malware spam campaigns have once again shifted tactics in an effort to circumvent anti-spam and anti-virus detection.

Locky malware campaigns are typically characterized by a zipped .js file attached to a spam email. Cloudmark has documented Locky and their distribution tactics previously on our blog and in detail in our most recent threat report.

In this recent development, the actors have switched to using obfuscated Windows Script Files (.wsf) inside a zip archive. The .wsf vector was discussed in the previous Cloudmark Quarterly Threat Report. Windows Script Files (.wsf) allow mixing of Jscript, VBScript, and other scripting languages within a single XML formatted file. By using this file format, the criminals are essentially able to repackage their existing JScript code into a .wsf container.


Starting on July 13th the week’s Locky campaigns contained a zip file attachment with a name similar to the following:

Here is a screenshot of one particular malicious email:


The zip file contained a .wsf script file named similar to:


See below for a screenshot of the contents of one particular zip file:


Note that in the above attack the zip file name contains part of the victim’s email address. This is a social engineering tactic used in an attempt to add legitimacy to the email.

The Windows Script File is a downloader which attempts to download and execute the second stage payload from one of several locations. The second stage of the attack is the Locky payload. The following Indicators of Compromise (IOCs) were extracted from one sample:

.wsf file:

md5: 6c74b21561632a82f6c5f5b3727902d8

Payload URIs:


Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2020 Cloudmark, Inc.