Malicious script: Scanned file from Optivet Referrals


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Scanned file from Optivet Referrals”.

This email is send from the spoofed address “Optivet Referrals <reception@optivet.com>” and has the following body:

Dear Sir/Madam

Please find attached a document from Optivet Referrals.

Yours faithfully

The Reception Team at Optivet.

Optivet Referrals Ltd. Company Reg. No. 06906314. Registered office: Calyx House, South Road, Taunton, Somerset. TA1 3DU
Optivet Referrals Ltd. may monitor email traffic data and also the content of email for the purposes of security and staff training.
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.

The attached file 25082070268891.tiff.js is a malicious script.

The malware is detected as HEUR.JS.Trojan.b,Troj/JSDldr-DN or JS_NEMUCOD.XYZZ by 4 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: d1ee98273bc70d5b06196bce99dff7cb30283daf38a271eed860da2418d7abba

The malicious script will download other malware from the following location:

hxxp://zuhr-kreativ.com/98876hg5/45gt454h

The malware is detected as UDS:DangerousObject.Multi.Generic, Win32/Trojan.Multi.daf or TSPY_DRIDEX.JDB by 3 of the 53 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: dd6c0c628e124462a843cd1308e25937636df4e4dc48e0d0a19e3b1455f57033

One thought on “Malicious script: Scanned file from Optivet Referrals

  1. As noted here we have nothing to do with this email.

    http://myonlinesecurity.co.uk/scanned-file-from-optivet-referrals-js-malware-dridex/

    “All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

    Optivet Referrals has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.”

    Thanks

    Rob Lowe
    Optivet Referrals Ltd.

Comments are closed.