This threat involves a large (10MB) obfuscated Windows-flavored JavaScript file delivered via phishing. It uses ActiveXObject components to copy itself to a public directory and create a scheduled task for persistence. The script drops three PNG files containing AES-encrypted data. A PowerShell script decrypts these files to run commands that disable common Windows security monitoring functions (EtwEventWrite and AmsiScanBuffer) and extract a .NET DLL payload. This DLL is injected into an MSBuild.exe process and uses one of the PNG files to extract the final malware, identified as Formbook, a known information-stealing malware. The infection chain demonstrates multiple layers of obfuscation and evasion, complicating detection and analysis. VirusTotal detection is low, suggesting this threat may evade many antivirus products.

The malware establishes persistence on infected Windows systems and deploys Formbook, a known information stealer. It disables key Windows security features to evade detection and analysis. The presence of scheduled tasks and process injection indicates a stealthy, persistent infection capable of data theft or further malicious activity. Limited antivirus detection increases the risk of successful compromise.

No official patch or vendor advisory is available for this malware. Mitigation involves user awareness to avoid phishing emails and attachments, especially RAR archives containing JavaScript files. Endpoint detection and response solutions should be updated to detect obfuscated JavaScript and PowerShell behaviors described. Monitoring for creation of suspicious scheduled tasks and unexpected MSBuild.exe process injections may help identify infections. Since the malware uses known evasion techniques, deploying advanced behavioral detection and endpoint protection with heuristic capabilities is recommended.