MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “New Doc 163 Page 9” (note that the Doc and Page number will change with each email).
This email is send from the spoofed address “CamScanner <*******@*********.**> and has the following body:
Scanned by CamScanner
This email is not related to CamScanner.
The malware is detected by 2/56 AV engines at Virus Total and the malicious file is detected as HEUR.JS.Trojan.ba or JS/Locky.Y.gen. The naming indicates that this is possibly Locky ransomware.
Note: no Malwr analysis is available because the service takes too long at this moment.