Malicious script attached to email “Invoice #62657921/58739D0D”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice #62657921/58739D0D” (characters in the subject vary with each email).

This email is send from the spoofed address “Franklin Goff <GoffFranklin0252@everythingcreativedesigns.com>” and has the following body:

Dear Client,

Our finance department has processed your payment, unfortunately it has been declined.
Please, double check the information provided in the invoice down below and confirm your details.

Thank you for understanding.

The attached file SCAN_invoice_62657921.zip (numbers may vary) contains the 8 kB large file invoice_PZCM5P.js that is a obfuscated Javascript. The malicious Javascript isn’t web browser compatible but needs to be used in the Windows Scripting Host environment.

The malware is detected as JS/Downldr.CZ.gen, JS/TrojanDownloader.Nemucod.CK, JS/Crypt.A!tr, BehavesLike.JS.ExploitBlacole.zv or Trojan.Script.Kryptik.dzcqji. by 5 the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 8f1ab7d35175410e63b706454a826059573660e9c27ca1929108b6dc52b454ef

The Javascript can make contact with the following hosts/IPs:

soft2webextrain.com
myexternalip.com 78.47.139.102
kochstudiomaashof.de 213.185.88.133

New malware is downloaded from hxxp://46.151.52.231/87.exe?1.

The 426 kB large executable 87.exe will be downloaded

The malware is detected as UDS:DangerousObject.Multi.Generic, a variant of Win32/Injector.COFK, BehavesLike.Win32.PWSZbot.gc, PE:Trojan.Ransom-Tesla!1.A322 [F], Trojan.Win32.R.Agent.425984.E[h] by 6 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 9c289d9426d6f565cb640d2ccb49ee0af989463cbdb7cbdab6110997808c4061