MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Scanned file from Optivet Referrals”.
This email is send from the spoofed address “Optivet Referrals <email@example.com>” and has the following body:
Please find attached a document from Optivet Referrals.
The Reception Team at Optivet.
Optivet Referrals Ltd. Company Reg. No. 06906314. Registered office: Calyx House, South Road, Taunton, Somerset. TA1 3DU
Optivet Referrals Ltd. may monitor email traffic data and also the content of email for the purposes of security and staff training.
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.
The attached file 25082070268891.tiff.js is a malicious script.
The malware is detected as HEUR.JS.Trojan.b,Troj/JSDldr-DN or JS_NEMUCOD.XYZZ by 4 of the 54 AV engines at Virus Total.
The malicious script will download other malware from the following location:
The malware is detected as UDS:DangerousObject.Multi.Generic, Win32/Trojan.Multi.daf or TSPY_DRIDEX.JDB by 3 of the 53 AV engines at Virus Total.
Use the Virus Total for more detailed information.