New Javascript malware: Invoice, Ref. 23128906


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice, Ref. 23128906” (number will vary with each email.

This email is send from the spoofed addresses and has the following body:

Dear Valued Customer,

We are very grateful for your purchase. The specified sum of $353,89 was paid and now your order is being processed by our company.

Delivery information and the invoice can be found in the attached file.

Thank you!

Lonnie early
Sales Manager

The attached file Invoice_ref-71034591.zip contains the 8 kB large file invoice_copy_nCQFPQ.js. Note that the filenames will vary with each email.

The malware is detected as JS/Downloader.Agent, HEUR:Trojan-Downloader.Script.Generic or HEUR_HTJS.HDJSFN by 3 of the 56 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 8f15506a77ba4952cd404973c73a1d3cfaed59f6d1cc77b0f0a32eb59265cd9d

The trojan will be downloaded from the location:

hxxp://blablaworldqq.com/69.exe

The malware is detected as Backdoor.W32.Androm or QVM41.1.Malware.Gen by 2 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: b74ce4970bab4f576fb8e193e01572666f1090c4e478a8b5f47d6bab7ed4bbe0