Analysis by: Mary Isabel Segismundo

Trend Micro engineers came across spam mail which appear to be non-delivery reports or undelivered mail notice from Upon further investigation, these messages are verified to be falsely coming from Google. These messages have varying sender addresses.

The spammed messages contain .ZIP attachments that use file names beginning with Google_Mail or Google_Drive. Opening the attachment executes a malicious JavaScript that downloads other probably malicious files. For Trend Micro product users, the spam is blocked and the malicious script, detected as JS_NEMUCOD.XXUK, is prevented from executing on the affected computer.

 SPAM BLOCKING DATE / TIME: September 01, 2015 GMT-8
  • ENGINE:8.0
  • PATTERN:1786