New Javascript malware: FW: Payment Declined PIN-149508

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “FW: Payment Declined PIN-149508”.

This email is send from the spoofed addresses and has the following body:

Dear 6f3991180,

Our finance department has processed your payment, unfortunately it has been declined.

Please, double check the information provided in the invoice (attached to this mail) and confirm your details.

Thank you for understanding.

Janette Johns
Financial CEO

The attached file contains the 8 kB large folder payment_document_141511 with two files included: document_4f68e.js and inv_9139e6f7.js.

The malware is detected as HEUR.JS.Trojan.b or JS/ by 2 of the 56 AV engines at Virus Total.

More detailed information on Virus Total:

SHA256: b4aa375339cd46e6466c9de3486a3af5bd5883f5f6b552e94b6959ad24213c53
SHA256: 61d7bfb08aa2b1ccffec7298ade76298cede4f772fbfd15dd4944ee23cd2d811

Numbers in the subject of the email and file names may vary with each email.