New Javascript malware: New Doc 163 page 9 in fake email from CamScanner


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “New Doc 163 Page 9” (note that the Doc and Page number will change with each email).

This email is send from the spoofed address “CamScanner <*******@*********.**> and has the following body:

Scanned by CamScanner

This email is not related to CamScanner.

The attached file New Doc 158_9.zip (filename is using the Doc and Page numbers) the file 1683442243_7420115.js which is a Javascript document.

The malware is detected by 2/56 AV engines at Virus Total and the malicious file is detected as HEUR.JS.Trojan.ba or JS/Locky.Y.gen. The naming indicates that this is possibly Locky ransomware.

Note: no Malwr analysis is available because the service takes too long at this moment.

Malwr.