MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Corresponding Invoice”.
This email is send from the spoofed addresses and has the following body:
Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am
writing to confirm receipt of your order, and to inform you that the item you requested will be delivered
by 25 June at the latest. If you require more information regarding this order, please do not hesitate to
Also, our records show that we have not yet received payment for the previous order of 11 June,
so I would be grateful if you could send payment as soon as possible. Please find attached the
If there is anything else you require, our company would be pleased to help. Looking forward to
hearing from you soon.
Distributor Sales Manager EMEA
The attached file pyhewliof_unpaid_351165.zip contains the file unpaid-4716.js. The header of the email and naming of the attached IZP archive will vary with each email.
The malware is detected by 8/56 AV engines at Virus Total.