New Javascript malware: RE: copy

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “RE: copy”.

This email is send from the spoofed addresses and has the following body:

Dear imen.matmati,

With reference to the telephonic conversation, I am sending a copy of document attached to this mail.

Hope to hear from you soon .


Energizer Holdings, Inc.
Aida Cummings

The attached file contains the file reference-1645-.js.

The malware is detected by 4/57 AV engines at Virus Total. Malwr analysis shows that the file bo6w3 is downloaded from the location hxxp:// When adding .exe fo the filename, the binary becomes an executable.

The malware is detected by 0/56 AV engines at Virus Total and the analysis is available on Malwr.

The naming of ther ZIP archive, the extracted Javascript file and download may vary with each email.