New Javascript malware: RE: copy


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “RE: copy”.

This email is send from the spoofed addresses and has the following body:

Dear imen.matmati,

With reference to the telephonic conversation, I am sending a copy of document attached to this mail.

Hope to hear from you soon .

Regards,

Energizer Holdings, Inc.
Aida Cummings

The attached file doc_copy_imen.matmati.zip contains the file reference-1645-.js.

The malware is detected by 4/57 AV engines at Virus Total. Malwr analysis shows that the file bo6w3 is downloaded from the location hxxp://lerens.com/bo6w3. When adding .exe fo the filename, the binary becomes an executable.

The malware is detected by 0/56 AV engines at Virus Total and the analysis is available on Malwr.

The naming of ther ZIP archive, the extracted Javascript file and download may vary with each email.