MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Fax transmission: -8947237532-1211276656-2016032127669-67373”.
This email is send from the spoofed address “FX Service [email@example.com.******.com]” and has the following body:
Please find attached to this email a facsimile transmission we
have just received on your behalf
(Do not reply to this email as any reply will not be read by
a real person)
The attached file F-8947237532-1211276656-2016032127669-67373.zip contains the 8 kB large file FQJ3272114302.js.
The malware is detected as HEUR.JS.Trojan.b, JS/Agent.EA!tr, Script.Trojan-Downloader.Agent.MO@gen or Js.Trojan.Raas.Auto by 5 of the 56 AV engines at Virus Total.
the payload is downloaded from:
The malware is detected by 0 of the 56 AV engines at Virus Total.