New Javascript malware in ZIP archive by email message with subject “Re:”

MX Lab,, started to intercept a new large malware distribution campaign by email with the subject “Re:”.

This email is send from the spoofed addresses and has the following body:

Dear carlasvhue:

Please find attached our invoice for services rendered and additional disbursements in the above-
mentioned matter.

Hoping the above to your satisfaction, we remain.

Lynnette Fernandez
Executive Director Finance & Information Systems

The attached file (format contains the file addition-029.js (format addition_number.js). This file contains an obfuscated Javascript.

The malware is detected as Js.Trojan.Raas.Auto or  virus.js.gen.85 by 2/55 AV engines at Virus Total.