MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subjects like:
This fake email is send from the spoofed address “Administrator <firstname.lastname@example.org>” and has the following body with only a signature and a disclaimer:
Head Office Nottingham
DISCLAIMER – The contents of this E-mail (including the contents of the enclosure/(s) or attachment/(s) if any) are privileged and confidential material of Hyperama PLC and should not be disclosed to, used by or copied in any manner by anyone other than the intended addressee/(s). If this E-mail (including the enclosure/(s) or attachment/(s)if any ) has been received in error, please advise the sender immediately and delete it from your system. The views expressed in this E-mail message (including the enclosure/(s)or attachment/(s) if any) are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of Hyperama PLC. We cannot accept any responsibility for viruses, so please scan all attachments.The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company.
The attached file doc748170290693.zip contains the 8 kB large file DOC6378916467.js.
The malware is detected as HEUR.JS.Trojan.b, JS/Locky.D!Camelot, Trojan-Downloader:JS/Dridex.W or Win32.Trojan.Raas.Auto by 4 of the 55 AV engines at Virus Total.
Malware will be downloaded from:
The malware is detected as Trojan/Win32.Locky or QVM20.1.Malware.Gen by 2 of the 55 AV engines at Virus Total.