High numbers of e-mails trying to infect systems / 2016-03-14

The attempts to infect systems via malicous javascript in e-mail are quite high at the moment, all trying to fake some urgency to make me open it without checking. Some recent samples:

Your credit card has been billed for $187,11. For the details about this transac tion, please see the ID: 12824622-12824622 transaction report attached.

NOTE: This is the automatically generated message. Please, do not reply.

With:

Archive:  /tmp/statistic_12824622.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     4055  2016-03-14 13:44   finance_LutQLF.js
---------                     -------

Or this attempt at creating urgency:

Dear Citizen,

We are contacting you on behalf of a local Traffic Violation Bureau.

Our cameras have detected that the driver of the vehicle associated with your personal number on March 10th, 2016 has committed a violation of the rules with a code: 38430 Unfortunately, we will have no other option rather than passing this case to the local police authorities.

Please, see the report with the documents proofs attached for more information on this case.

Archive:  /tmp/report_29613630.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     4055  2016-03-14 13:44   accent_VvMFoz.js
---------                     -------

And some mix of a standard message in some system with a company disclaimer:

Your message is ready to be sent with the following file or link attachments:

IMG_1414

Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled.

Please consider the environment before printing this email.

E-mail messages may contain viruses, worms, or other malicious code. By reading the message and opening any attachments, the recipient accepts full responsibility for taking protective action against such code. Henry Schein is not liable for any loss or damage arising from this message.

The information in this email is confidential and may be legally privileged. It is intended solely for the addressee(s). Access to this e-mail by anyone else is unauthorized.

Or this try:

Our finance department has processed your payment, unfortunately it has been declined.

Please, double check the information provided in the invoice (attached to this mail) and confirm your details.

Thank you for understanding.

Fermin Paul Project Manager

From: ********@clicktravel.com
Subject: Itinerary #A3E2719
Date: Tue, 15 Mar 2016 12:21:01 -0200

Please see document attached

With

Archive:  /tmp/Hotel-Fax-V004X3R8_4983252052512314320.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     6994  2016-03-15 18:01   UMC7869178910.js
---------                     -------
     6994                     1 file

Which looks like somewhat readable javascript but is quite obfuscated when I try to find out what it does:

RXPBqXKexc = "    if ( result == null ) {      return operator === \"!=\";     }     if ( !operator ) {      return true;     ";
mowSJrO.splice(7, italianoI + 2);
errol = mowSJrO[3 * 5 - 3 * 3].split("princeton").join("");
var SsDEwXL = this[errol];
cvVwbXTvf = "UjAVgFt";

Update: No real surprise: it is all Locky ransomware being spammed, according to Massive Volume of Ransomware Downloaders being Spammed - trustwave and other sources.