New Javascript email based threat with subject “DHL Delivery”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “DHL Delivery”.

This email is send from the spoofed address “DHL Express UK <**.**@***.**>” and has the following body:

YOUR SHIPMENT IS ON ITS WAY

Hello,

You have changed or confirmed the delivery details for your DHL EXPRESS shipment with waybill number 0350144045.

The scheduled delivery is Fri Apr 07 2017 before End of Day.

Please check your shipment and contact details below. If you need to make a change or track your shipment, click here. (JsReport – JavaScript based reporting platform)

Thank you for using On Demand Delivery.

DHL Express – Excellence. Simply delivered.

The embedded URL leads to the host hxxp://eisenmenger.us/photoarchive/wp-content/themes/Anderson-twentytwelve-child/dhl___status__fkab42676zpXt/ that will download the file named: dhl___status__8029174876_____Fri___Apr___07___2017.js.

This is an obfuscated Javascript that will download a malicious file from hxxp://inlinemedia.co.uk/download2063/

The malware is detected by 7/56 AV engines at Virus Total and the analysis is available on Malwr.

The downloaded file comes as 2253.exe and is a Windows executable. The malware is detected by 12/61 AV engines at Virus Total and the analysis is available on Malwr.

2 thoughts on “New Javascript email based threat with subject “DHL Delivery”

  1. Assuming Outlook as the email client and an embedded link with an href set to the JavaScript file in question, clicking a link like this brings up the View Downloads dialog box. If the user presses the Run button then a Microsoft JScript session kicks off… only none of the Microsoft JScript commands seem to work for any subsystem: browser, command line or as a window-based context. The document object doesn’t exist, the print() function isn’t valid nor is there a window object available. It would be nice to know which system is being used for this to test the vulnerability.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s