New Javascript malware: FW: Order Status #240152


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “FW: Order Status #240152”

This email is send from the spoofed addresses and has the following body:

Dear aaotkpoirn,

We would like to thank you for your recent order.

Order Status updated on: 21/03/2016
Your Customer ID: 240152
Your Order ID: 653D7CAE43-M-2016
Invoice Number: 4329448

Delivery Note:
We received your order and payment on 17/03/2016

Your order details are attached.

Best regards,
Tania Holloway
Regional Sales Director

The attached file order_details_240152.zip contains the xx kB large folder order_details_240152 with the following files (click on the link for more details at Virus Total):

bootmgr
confirmation_d0987707.js
details_b78bab4.js

The file confirmation_d0987707.js (see Malwr for more information) contains the script that will download other malware to the local system:

hxxp://khacphucwifiyeu.com/oqped

The file is opened as text but when you add .exe to it, it becomes clear that this is a trojan.

The malware is detected as Win32.Trojan.WisdomEyes.151026.9950.9955, QVM20.1.Malware.Gen or PE:Malware.XPACK-HIE/Heur!1.9C48 [F] by 3 of the 56 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 3eaeb44049c3c45f3c61c749acd86ad8f9325717de4221e9768e021d85ee2c38