We received new spam emails which contain a JavaScript redirector in form of a HTML attachment. The emails we received have the subject “Consultation Appointment”.
The decrypted JavaScript consists of new JavaScript code.
This JavaScript redirector loads yet another JavaScript from the internet. The domain which is hosting the malicious .js is registered to someone from Malaga. Domain tools show that this person has registered about 2.400 other domains.
The downloaded file contains an invisible, hidden iframe which is supposed to download further code from the internet. The target behind that iframe is already offline, luckily.