New Javascript malware: Order Confirmation – Payment Successful, Ref. 42400838


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Order Confirmation – Payment Successful, Ref.  42400838”.

This email is send from spoofed addresses and has the following body:

Dear Client,

Thank you for your transaction of $295,75. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.

We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.

Double check please the document enclosed to this email.

Thank you for your order and we hope to see you again as our customer.

Respectfully,
Benedict broadbent
Chief Accountant
97 N Forks Ave,
Forks, WA 26695
Phone: 955-989-7673

The attached file Invoice_ref-97471524.zip contains the 4 kB large file invoice_copy_LcMegn.js.

The nr in the email, the filemanes and the persons name in the signature will change with each email.

The malware is detected as JS/Downloader.Agent, HEUR.JS.Trojan.b or Win32.Trojan.Raas.Auto by 3 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 0a483de1ddb92a0d9f67a24301b5c5a9e7f4d8aaee5464097ed40b5e525e2538