MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “RE: copy”.
This email is send from the spoofed addresses and has the following body:
With reference to the telephonic conversation, I am sending a copy of document attached to this mail.
Hope to hear from you soon .
Energizer Holdings, Inc.
The attached file doc_copy_imen.matmati.zip contains the file reference-1645-.js.
The malware is detected by 4/57 AV engines at Virus Total. Malwr analysis shows that the file bo6w3 is downloaded from the location hxxp://lerens.com/bo6w3. When adding .exe fo the filename, the binary becomes an executable.