New javascript malware: Invitation letter


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invitation letter”.

This email is send from the spoofed address “xxxxx ” and has the following body:

Dear Mrs/Mr,

In the attached file you find the requested invitation letter.

If you have any questions, please do not hesitate to contact me.

Best Regards
Gogo Inc.
Alma Pratt

The attached file invitation_c0e2ffb3a.zip contains the file employees -8569-.js.

The malware is detected by 10/57 AV engines at Virus Total. Malwr analysis shows that additional malware in the form of a binary file c9ertm7m is downloaded from the location hxxp://nalvazhvagam.com/c9ertm7m. Adding the file extension. exe to the file makes it complete.

The malware is detected by 2/56 AV engines at Virus Total and the analysis is available on Malwr.

Note that the names in the email and file names of the ZIP archive, extracted and downloaded files will change with each email.