An example of the spam campaign claims to be a resume from a fake named sender.
Extracting the ZIP file contains a file with .JS file extension
Cleaning up the code shows a function named "dl" that carries out the download routine using ActiveXObject framework, saving downloaded files to the Windows Temporary folder and then executing them.
The downloaded files have a destructive payload, one of which may result to permanent loss of files. The deobfuscated URL shows the link pointing to .JPG files; these are actually malicious Windows executables. Once they are downloaded, the files are renamed to .EXE file extension and saved in the Temporary folder. The file named 2.jpg belongs to a Fareit botnet that is designed to steal credentials from FTP clients, web browsers, mail clients and even bitcoin wallets.
The stolen credentials are then sent to a list of remote control servers.
The other downloaded executable disguised in the URL link as 3.jpg is an Outlook email harvester. The Trojan attempts to harvest Outlook contacts and sends the collected data to the domain name spamhausgandon[.]com.
The last payload is the file 1.jpg that is actually an executable file of a ransomware otherwise known as a Cryptolocker. The Trojan encrypts targeted fileswhich include Office documents such as .doc, .docx, .xls, .xlsx, .pdf, also of images such as .jpg, .png, .raw, .svg and others
After encrypting the target files, an instruction note in different file format (html or txt or image) is dropped in the victim's computer with instructions on how to pay the operators in exchange for restoring the encrypted files.
Trustwave Secure Email Gateway blocks this malicious spam campaign