New Javascript malware: Bill N-82B21A


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Bill N-82B21A” (combination numbers and letters will vary).

This email is send from the spoofed addresses and some samples of the emails:

Dear *****.*******,

Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.

Best regards
Doris Craft
Product Director

Dear e5550a7b,

Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.

Best regards
Carolina Sellers
Sales Director

Dear IrOjRamm,

Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.

Best regards
Maryanne Grant
Sales and Marketing Director

The attached file 3C88C_fank.houbechts_82B21A.zip contains the folder structure scan/a0997bbf with the extracted file d4e5b16b.js and f.

The malware is detected by X/54 AV engines at Virus Total. Detailed analysis is available on Malwr.

Note that the subject line, the body of the email, the attached file and extracted file names may vary with each email.