Malicious script attached to email “Your order #47994403 – Corresponding Invoice #7704B491”


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your order #47994403 – Corresponding Invoice #7704B491”.

This email is send from the spoofed address “Jose Soto <SotoJose85350@gd-avocat.ch>” and has the following body:

Dear Valued Customer,

We are pleased to inform you that your order #47994403 has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
We would highly appreciate if you sent your payment promptly. For your information, don’t hesitate to check the invoice enclosed to this letter or contact us directly.
In case if you have already sent your payment, please disregards this letter and kindly allow us up to 3 business days to clear the incoming payment.

We look forward to your remittance and will the dispatch the goods.

Thank you for choosing our services we sincerely hope to continue doing business with you again.

Sincerely,
Jose Soto

Sales Department Manager
Fretter Inc.
2715 Sycamore Road
Nyssa, OR 97913

The attached file copy_invoice_47994403.zip contains the 12 kB large file invoice_SCAN_esNDV.js which is in fact an obfuscated Javascript that will download other malicious files from remote hosts.

The malicious script is detected as S/Downldr.CZ.gen or BehavesLike.JS.ExploitBlacole.zv. by 2 of the 55 AV engines did at Virus Total.
SHA256: 6d0f812ca90175e117062644b4c917dad640cd830986ace2463adc42dd6e270e

Update 09/12/2015 – 15:55:

Further analysis show us that the malicious Javascript isn’t web browser compatible but needs to be used in the Windows Scripting Host. Malware is downloaded from the following host:

46.151.52.197/85.exe
softextrain64.com/86.exe
46.151.52.197/86.exe

The 360 kB large executable is detected as  Win-Trojan/Teslacrypt.Gen, HW32.Packed.323C, BehavesLike.Win32.Downloader.fh or QVM20.1.Malware.Gen by 4 of the 54 AV engines did at Virus Total.
SHA256: 7b3ed4c70749a6db99a30233441def814b804dab692a67a45a88e32f8a83cf3b

2 thoughts on “Malicious script attached to email “Your order #47994403 – Corresponding Invoice #7704B491”

Comments are closed.