New Javascript malware: Information request


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Information request”.

This email is send from the spoofed addresses and has the following body:

Dear management,

As per our discussion yesterday, please find attached the amended meeting minutes.
I have accepted the majority of the changes requested, however there are some that I have left in the document.
I have included the edits as track changes.

Please confirm that the changes we have made are acceptable.

Many thanks

Regards,

Jazz Pharmaceuticals plc
Tuan Wooten
Tel.: +1 (386) 630-30-75

Dear sbesyfa,

As per our discussion yesterday, please find attached the amended meeting minutes.
I have accepted the majority of the changes requested, however there are some that I have left in the document.
I have included the edits as track changes.

Please confirm that the changes we have made are acceptable.

Many thanks

Regards,

IAC/InterActiveCorp
Millie Villarreal
Phone: +1 (862) 937-69-12

The attached file changes_management.zip contains the file changes-4817-.js. The extracted file contains obfuscated Javascript. Here is a small part of the code:

/*@cc_on

var azTvPaxTm = ‘;.}.\n.\r.;.).(.].).1.l.E.G.B.W.U.U.(.b.U.K.O. .+. .9.n.Q.F.P.[.v.M.D.F. . . . .\n.\r.\n.\r.;.).2. .,.x.D.A.B.D.K.T.(.].4.f.O.N.Q. .+. .5.o.G.D.M.T.J.X. .+. .6.j.P.H.C.[.v.M.D.F. . . . .\n.\r.;.).).t.Q.S.P.(.i.F.C.I.W.K.Q.(.].).).(.}.;.1.s.D.X.L.E.U.F. .n.r.u.t.e.r.{.).(.2.u.N.C.D.Z.Z.W. .n.o.i.t.c.n.u.f.(. .+. .8.r.M.P.O. .+. .w.A.L.W.[.v.M.D.F. . . . .\n.\r.;.).(.].q.E.D.A. .+. .a.X.P.Z.J.Q.C.[.v.M.D.F. . . . .\n.\r

The malware is detected by 2/57 AV engines at Virus Total. Malwr analysis shows that a binary file will be downloaded from the location hxxp://tcmiddenmeer.nl/lw3zccy6.

The malware is detected by 0/55 AV engines at Virus Total and the analysis is available on Malwr.

The content of the email, the naming of the ZIP archive, the extracted Javascript file and download may vary with each email.