New Javascript malware: FW: Order F-456933

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “FW: Order F-456933”.

This email is send from the spoofed addresses and has the following body:

Dear 636dd40,

Thank you for your order.  Your Invoice – F-456933 – is attached.

As agreed this invoice will NOT be sent via post.

King Regards.

Jasmine Johns
Regional Executive Vice President

The attached file contains the xx kB large folder order_details_456933 with the following three files inside:

payment_49ae1d.js  – click for details: Virus Total
payment_details_28a3230.js – click for details: Virus Total

The malware is detected by only 1 of the 57 AV engines at Virus Total and is detected as HEUR.JS.Trojan.b.

Analysis by Malwr is not possible currently because the submitted files remain in queue.

This campaign has more or less the same characteristics as  “New Javascript malware: FW: Payment ACCEPTED M-395526

Note: numbers in the subject and filenames may change with each email.