New WSF malware in emails “Voice Message from Outside Caller”

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “Voice Message from Outside Caller (2m 31s)”.

This email is send from the spoofed address “Peach Telecom <>” and has the following body:

Voice Message Arrived on Friday, Aug 26 @ 8:50 AM
Name: Outside Caller
Number: Unavailable
Duration: 2m 31s
*****.BE SV9100 InMail

In each email, the duration time changes and domain of the recipient is included at the end of the message.

The attached file Outside Caller 08-26-2016 contains the file 08-26-2016 69tthi05.wsf which is a Windows Script File. Filenames of the ZIP archive and extracted WSF will change with each email as well.

The malware is detected by 9/56 AV engines at Virus Total. Malwr analysis shows that more malware will be downloaded from hxxp:// Other URLs may be used in different variants.