March 14, 2016
MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “FW: Payment Declined PIN-149508”.
This email is send from the spoofed addresses and has the following body:
Our finance department has processed your payment, unfortunately it has been declined.
Please, double check the information provided in the invoice (attached to this mail) and confirm your details.
Thank you for understanding.
The attached file payment_document_141511.zip contains the 8 kB large folder payment_document_141511 with two files included: document_4f68e.js and inv_9139e6f7.js.
The malware is detected as HEUR.JS.Trojan.b or JS/Downloader.gen.bi by 2 of the 56 AV engines at Virus Total.
More detailed information on Virus Total:
Numbers in the subject of the email and file names may vary with each email.