New Javascript malware with subject “Corresponding Invoice” leads to Locky


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Corresponding Invoice”.

This email is send from the spoofed addresses and has the following body:

Dear pyhewliof:

Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am
writing to confirm receipt of your order, and to inform you that the item you requested will be delivered
by 25 June at the latest. If you require more information regarding this order, please do not hesitate to
contact me.

Also, our records show that we have not yet received payment for the previous order of 11 June,
so I would be grateful if you could send payment as soon as possible. Please find attached the
corresponding invoice.

If there is anything else you require, our company would be pleased to help. Looking forward to
hearing from you soon.

Yours sincerely
Ollie Fields
Distributor Sales Manager EMEA

The attached file pyhewliof_unpaid_351165.zip contains the file unpaid-4716.js. The header of the email and naming of the attached IZP archive will vary with each email.

The malware is detected by 1/53 AV engines at Virus Total. Malwr analysis shows that different download locations are being used:

personal-architecture.nl/6gcpaey
ding-a-ling-tel.com/b289dg
plasticsmachine.com/d43ndxna
hyip-all.com/9qwmc65

The malware is detected by 8/56 AV engines at Virus Total.